topic Re: ASA: Problems when a certificate for AnyConnect users expired in Network Security

ASA: Problems when a certificate for AnyConnect users expired

swscco001 — Sun, 11 Jul 2021 07:54:49 GMT

Hello everybody,

today I have a problem with certificates on the ASA running 9.8(4)32
for AnyConnect (4.9.05042) users.

The self-signed certificate expired recently and since that time the
AnyConnect users get the AnyConnect "Security Warning: Untrusted Server Certificate"
(see attached). The customer clicked 'Connect anyway' and could login.

I indicated the properties of the expired certificate and generated
a new self-signed certificate with same properties Common Name (CN) etc.
following the guide on:
https://asame2.blogspot.com/2018/06/how-to-generate-self-signed-certificate.html
with expiry date in 2031 and assigned it to the outside interface.

At next login attempt the customer gets the AnyConnect "Security Warning:
Untrusted Server Certificate" again but this time with option to import
the certificate (see attached).

But when he chosed this option and clicked 'Connect anyway' he could not
login at all anymore.

I assigned the expired certificate to the outside interface and then the
customer could login in again after clicking 'Connect anyway'.

My questions:

1. Is tere a relation between the Common Name (CN) and the VPN server
that the user has in the AnyConnect client before he click 'Connect'?

2. Could it be that the import did not work correctly that way?

3. Is there a step to step guide what's to do when a certificate
expired?

Every hint is very welcome.

Thanks a lot!

Bye
R.

Re: ASA: Problems when a certificate for AnyConnect users expired

balaji.bandi — Mon, 12 Jul 2021 08:26:34 GMT

You are use Dynadns as FQDN ? do you have Public Cert for this ?

if you are using self signed, the Certificate need to be pushed to all clients, this is mostly done with your Centralised Windows update system what you have.

or user need to check that box and install cert so user will not get any error. (this is not recommended)

Re: ASA: Problems when a certificate for AnyConnect users expired

Marvin Rhoads — Mon, 12 Jul 2021 02:17:36 GMT

Generally speaking, we should never use a self-signed certificate outside of a lab environment. So replacing the expired certificate from a known Certificate Authority (CA) with a self-signed one is not a recommended practice.

The correct practice would be to either:

a. renew the certificate from the same CA or

b. generate a new Certificate Signing Request (CSR), submit it the CA, get a new CA-issued certificate and install it.