You are currently viewing Solved: ASA Smart Licensing Fails Due to Certificate Handshake

Solved: ASA Smart Licensing Fails Due to Certificate Handshake

Problem

When attempting to register a Cisco ASA via smart licensing, the following messages are displayed and as a result, licensing fails.

%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to v                                                                                                                                             alidate certificate serial number: 40016EFB0A205CFAEBE18F71D73ABB78, subject nam                                                                                                                                             e: cn=HydrantID Server CA O1,ou=HydrantID Trusted Certificate Service,o=IdenTrus                                                                                                                                             t,c=US, issuer name: cn=IdenTrust Commercial Root CA 1,o=IdenTrust,c=US .
%ASA-7-717029: Identified client certificate within certificate chain. serial nu                                                                                                                                             mber: 40017E745D7448BB2EF502BD06330058, subject name: c=US,st=California,l=San J                                                                                                                                             ose,o=Cisco Systems Inc.,cn=tools.cisco.com.
%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was f                                                                                                                                             ound to validate chain.
%ASA-7-725014: SSL lib error. Function: ssl3_get_server_certificate Reason: cert                                                                                                                                             ificate verify failed
%ASA-4-120006: Call-Home license message to https://tools.cisco.com/its/service/                                                                                                                                             oddce/services/DDCEService failed. Reason: CONNECT_FAILED
%ASA-4-120005: Call-Home license message to https://tools.cisco.com/its/service/                                                                                                                                             oddce/services/DDCEService was dropped. Reason: CONNECT_FAILED
%ASA-3-444303: %SMART_LIC-3-AGENT_REG_FAILED:Smart Agent for Licensing Registrat                                                                                                                                             ion with Cisco licensing cloud failed: Communication message send error
%ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with Cisco licens                                                                                                                                             ing cloud: Communication message send error

Root Cause

As per documentation, Cisco’s web servers were migrated to use a different root CA and therefore the certificates on the device are not valid.

Solution

Enter the following command to import the relevant certificates required to connect to the licensing portal and complete the license registration.

crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply