Symptom
ASA interactions with syslog, smart-call-home or DDNS servers may fail with the following errors:
Oct 30 2020 20:54:32: %ASA-3-717009: Certificate validation failed. Peer certificate key usage is invalid, serial number: (cert_serial_number), subject name: (certificate_subject_name)
Oct 30 2020 20:54:32: %ASA-3-717027: Certificate chain failed validation. Certificate chain is either invalid or not authorized.
Oct 30 2020 20:54:32: %ASA-7-725014: SSL lib error. Function: ssl3_get_server_certificate Reason: certificate verify failed
Conditions
- ASA is making an SSL client connection to a syslog, smart-call-home or DDNS server
- The certificate retuned by the server is configured in an ASA trustpoint
- The server certificate does not have an ExtendedKeyUsage extension
