https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285290#M1078067 <P>The certificate in ASA exists by default or I have to create it somehow?</P> Wed, 03 Feb 2021 15:18:52 GMT kostasthedelegate 2021-02-03T15:18:52Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285246#M1078060 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I am trying to onboard an ASA device in CDO.&nbsp;</P><P>I get the error</P><P>Certificate could not be retrieved for IPADDRESS:PORT</P><P>&nbsp;</P><P>To which certificate it refers to?<BR />How could I change it?</P> Wed, 03 Feb 2021 14:17:35 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285246#M1078060 kostasthedelegate 2021-02-03T14:17:35Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285250#M1078061 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/864895">@kostasthedelegate</a>&nbsp;</P> <P>It's referring to the certificate in use by ASDM for mgmt is used.</P> <P>&nbsp;</P> <P>In my experience the ASA's self-signed certificate or a public signed certificate works, but a certificate issued by an internal CA (i.e. Windows CA) does not work.</P> Wed, 03 Feb 2021 14:23:05 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285250#M1078061 Rob Ingram 2021-02-03T14:23:05Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285252#M1078062 <P>Ok But I use the ethernet port 1/1 that has a public IP to connect to CDO.</P><P>I do not use the management port</P><P>What should I do?</P> Wed, 03 Feb 2021 14:26:57 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285252#M1078062 kostasthedelegate 2021-02-03T14:26:57Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285262#M1078063 <P>Are you permitting http access from the CDO networks to the outside interface?</P> <P>&nbsp;</P> <P>Example (the address below are the EU CDO servers):</P> <PRE class="wp-block-preformatted"><SPAN style="font-size: 10pt;">http 35.157.12.126 255.255.255.255 outside</SPAN> <SPAN style="font-size: 10pt;">http 35.157.12.15 255.255.255.255 outside http server enable 8443</SPAN></PRE> <P>&nbsp;</P> Wed, 03 Feb 2021 14:43:26 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285262#M1078063 Rob Ingram 2021-02-03T14:43:26Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285276#M1078064 <P>I had put these ones&nbsp;</P><P><SPAN>52.25.109.29,&nbsp;52.34.234.2,&nbsp;52.36.70.147</SPAN></P><P><SPAN>I added the ones you mentioned but still I&nbsp;get the same</SPAN></P> Wed, 03 Feb 2021 14:58:34 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285276#M1078064 kostasthedelegate 2021-02-03T14:58:34Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285290#M1078067 <P>The certificate in ASA exists by default or I have to create it somehow?</P> Wed, 03 Feb 2021 15:18:52 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285290#M1078067 kostasthedelegate 2021-02-03T15:18:52Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285295#M1078068 <P>Yes, it should have a self-signed certificate.</P> <P>Do you have a trustpoint enabled on the outside interface?</P> <P>Have you enable the certificate on the correct port and configured in CDO using the correct port (as configured on the ASA)?</P> <PRE class="wp-block-preformatted"><SPAN style="font-size: 10pt;"><EM>ssl trust-point TP OUTSIDE</EM></SPAN></PRE> <P>Run a packet capture and confirm traffic is being received.</P> Wed, 03 Feb 2021 15:25:09 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285295#M1078068 Rob Ingram 2021-02-03T15:25:09Z https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285357#M1078076 <P>Thanks for the help&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;&nbsp;</P><P>It seems the issue was with the access on HTTP management.&nbsp;</P><P>I allowed everything temporarily and it worked.&nbsp;</P><P>&nbsp;</P> Wed, 03 Feb 2021 16:31:28 GMT https://community.cisco.com/t5/network-security/cdo-and-device-certificate/m-p/4285357#M1078076 kostasthedelegate 2021-02-03T16:31:28Z