Cisco AnyConnect Cannot Validate SecureAuth SHA-2 512 Certificates

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version affected: All versions

    Description: When using a valid, SHA-2 512 ECDSA signature algorithm, SecureAuth issued user certificate against Cisco's AnyConnect client for VPN access, AnyConnect cannot validate the certificate. This issue occurs despite the fact that the proper SecureAuth root and intermediate certificate chain has been uploaded to the Cisco ASA firewall. Additionally, the issue is specific to the Windows OS and is often witnessed on only a few afflicted end-user machines.

    Cause: The Windows registry key, that controls which certificate signing algorithms are available to the machine, doesn't have SHA512 enabled.
    This is because the registry key value used in the initial installations of Windows 7, 8, and 8.1, disable the use of SHA2-512 algorithms over the Transport Layer Security (TLS) 1.2 protocol. Microsoft released a patch, later in the Windows 7, 8, and 8.1 release cycle, that corrects this.
    https://support.microsoft.com/en-us/help/2973337/sha512-is-disabled-in-windows-when-you-use-tls-1.2

    A fresh installation of Windows 10 enables the SHA2-512 by default. However, when a Windows 7, 8, or 8.1 system is upgraded to Windows 10 (not a fresh install), then the old registry key is carried over to the new OS version and the patch is never applied.


    Resolution: Update the Windows registry key value to enabled SHA512 support.

    **Disclaimer: Modifying the registry is done at your own risk. It is possible to corrupt your operating system by making incorrect changes to the registry.

    From all affected machines.
    - Open regedit.
    - Locate the following registry key value:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003\Functions

    - Add entries RSA/SHA512 and ECDSA/SHA512 to the Functions key.




    - Reboot the machine.


    Cisco AnyConnect should now be able to successfully validate our SecureAuth SHA512 certificate.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.