For authorized use only,ou=VeriSign Trust Network,įor further information, run these debug commands while you attempt another registration. No suitable trustpoints found to validateĬertificate serial number: 513FB9743870B73440418699FF, subject name:Ĭn=Symantec Class 3 Secure Server CA - G4,ou=Symantec Trust Network,o=SymantecĬorporation,c=US, issuer name: cn=VeriSign Class 3 Public Primary Certification Authority %ASA-3-717009: Certificate validation failed. Ou=Class 3 Public Primary Certification Authority,o=VeriSign\, Inc.,c=US. For authorized use only,ou=VeriSign Trust Network,o=VeriSign\, Inc.,c=US, issuer name: No suitable trustpoints found to validateĬertificate serial number: 250CE8E030612E9F2B89F7058FD, subject name:Ĭn=VeriSign Class 3 Public Primary Certification Authority - G5,ou=(c) 2006 VeriSign\, Inc. Syslog output on the ASAv after an attempted registration will show this: %ASA-3-717009: Certificate validation failed. However, the ASAv can resolve and connect on TCP port 443 with a TCP ping. Last License Server response message: Communication message send response error Last License Server response time: Mar 22 13:26:32 2016 UTC. Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC. Registration Start Time: Mar 22 13:25:46 2016 UTC The show license registration and call-home test profile license commands show these outputs. When an attempt is made to register an ASAv to the Smart Software Licensing Portal, the registration fails with a connection or communication failure.
Specifically, the new certificate that is presented to the ASA is signed by a different Intermediate CA than the ASA expects and has preloaded.
This was determined to be a certificate-related issue. After that migration, some ASA (Adaptive Security Appliance) devices fail to connect to the Smart Software Licensing Portal (which is hosted on ) when they register an ID token or while they attempt to renew existing authorizations. This document describes how to address a change that occurred on March 2016 and October 2018, in which webservers that host were migrated to a different root Certificate Authority (CA) certificate.