topic Re: Cert for ASA in Network Security

Cert for ASA

james.king14 — Fri, 21 Feb 2020 16:05:18 GMT

Hello ,

we have a ASA5585-x that has our VPN. Recently we started get the "Invaild Cert" when users connect. I brought a new Godaddy Cert and had one of the other tech install the information. After doing the CSR for the ASA and getting the Godaddy bundle we are still have that problem. I have checked the identity cert and found only self-signed certs. In my ca cert section I see the Godaddy cert! I have the document on installing cert so what am I missing?

Re: Cert for ASA

croll9898 — Thu, 09 Aug 2018 19:33:17 GMT

Here's a great article for setting up the certificate.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Without knowing you're full configuration, I would verify the following:

1. You have a DNS entry for the FQDN on the certificate.

2. Verify the correct certificate is configured on the correct interface (Configuration>Remote Access VPN>Advanced>SSL Settings)

3. Verify you're users are going to the FQDN on the certificate and not the public IP or a different FQDN.

Re: Cert for ASA

james.king14 — Thu, 09 Aug 2018 20:44:33 GMT

Thanks for the quick reply.

all of those settings have been triple checked. I think my issue is that the old CA cert was changed and is being used as the default. The naming convention for the ASA is the same but different since we had a name change. I am contacting Godaddy to get rekeyed. That way I can start from the beginning.

Re: Cert for ASA

Dennis Mink — Fri, 10 Aug 2018 04:10:36 GMT

have you verified that the client that try to connect have all the intermediate certs that are used in the new Godaddy cert?

Re: Cert for ASA

Marvin Rhoads — Fri, 10 Aug 2018 04:29:45 GMT

Your site https://srhvpn.srh.noaa.gov/ is currently showing the certificate from the SRH root CA, not the one from GoDaddy.

Check that you have bound the GoDaddy certificate to the outside interface:

ssl trust-point ASDM_TrustPoint7 outside

(assuming the nameif is "outside")

Re: Cert for ASA

Jerome BERTHIER — Fri, 10 Aug 2018 12:07:54 GMT

Does the CA certificat contain a chain of certicate (CA root and subsequent CA intermediate) ?

If yes than you have to install all certificate in this chain separetely in the ASA under Configuration > Device Management > Certificate Management > CA Certificates.

If you installed the CA certificate containing the chain, I guess it won't be recognized on clients.

Regards

Re: Cert for ASA

james.king14 — Fri, 10 Aug 2018 13:10:19 GMT

Hi Dennis,

Yes all client have the intermediate cert loaded on deivice.

Re: Cert for ASA

james.king14 — Fri, 10 Aug 2018 13:12:19 GMT

Marvin,

That is the real issue. I have rekeyed the ASA with the godaddy cert this
morning and still get the same error

Re: Cert for ASA

james.king14 — Fri, 10 Aug 2018 13:15:19 GMT

Jerome,

Thanks for the reply,

I have made sure that the CA chain is there on the ASA and the laptop. At
the moment the problem is loading the new cert.

Re: Cert for ASA

Jerome BERTHIER — Fri, 10 Aug 2018 13:21:28 GMT

Yes but

1) did you install a single CA certificate concatening the chain from root to the final intermediate CA ?

2) or did you install each CA certificate needed from root to the final intermediate CA ?

To my mind, the good option to get it working is the option 2.

Regards

Re: Cert for ASA

james.king14 — Fri, 10 Aug 2018 13:31:19 GMT

Jerome,

If I am correct when using GoDaddy you have to install one in the CA cert
(which is the bundle ) and the other cert under Identity! Please correct
me if I am wrong, but when using the ASDM you only have those options.

Re: Cert for ASA

james.king14 — Fri, 10 Aug 2018 13:33:30 GMT

Re: Cert for ASA

Jerome BERTHIER — Fri, 10 Aug 2018 13:52:13 GMT

Its quite simple to install a certificate :

1) generate a CSR request (and a key pair if needed)

2) go to sign it from your SSL certificate provider

3) install each CA certificate :

Configuration > Device Management > Certificate Management > CA Certificates

4) install server certificate (signed from your SSL certificate provider) :

Configuration > Device Management > Certificate Management > Identity Certificates

5) choose the new certificate to apply it to your SSL interface :

Configuration > Remote Access VPN > Advanced > SSL Settings

On step 3, I think that you cannot use a single CA certificate file if it contains more than one CA certificate (chain bundle).

Instead, you have to retreive each CA certificate depending on which root signed your server certificate :

https://certs.godaddy.com/repository/

Then import each one.

If the chain contains for example, three certs : CA root, CA intermediate 1 (signed from CA root) and CA intermediate 2 (signed from CA intermediate 1) then you should have those three certificates separately under Certificate Management > CA Certificates.

Regards

Re: Cert for ASA

croll9898 — Fri, 10 Aug 2018 14:01:37 GMT

Check out this article to verify you're generating the correct request (General Usage vs Usage Key)

https://community.cisco.com/t5/other-security-subjects/problems-importing-ssl-certificate-to-asa-7-2/td-p/905671

On a side note, what type of machines will be utilizing the VPN? We're using an internally generated certificate (similar to the current certificate on srhvpn.srh.noaa.gov) since our policy is only Active Directory Domain joined machines can access our AnyConnect VPN. In that case, you can use Group Policy to install the SR Root CA on each machine and that should fix the trust issue.

You can also test this out by installing the SR Root CA locally (which I did and I'm no longer getting the error).

Re: Cert for ASA

james.king14 — Fri, 10 Aug 2018 17:49:58 GMT

Jerome,

After following the prescribed settings for adding the Identity cert. Step #4 is where I am having the issue. I even tried to paste the base-64 into the box. Still says that the failed to parse data and that the public Key is

Re: Cert for ASA

croll9898 — Mon, 13 Aug 2018 13:35:32 GMT

Could you detail how you are generating your CSR/Key Pair in step one by providing a screen shot of the following?

Image attached.

Re: Cert for ASA

james.king14 — Mon, 13 Aug 2018 13:44:47 GMT

Here are the errors

Re: Cert for ASA

croll9898 — Mon, 13 Aug 2018 13:52:32 GMT

I understand those are the errors, but I'm trying to determine which key pair you're using to generate your request.

If you go to Device Management>Certificate Management>Identity Management and then select "Add" in the top right a new window should appear. In that window, if you select the radio button for "Add a new identity certificate", select the Key Pair you used to generate the CSR and then select "Show", that will show details of the Key Pair.

I'm looking for the first four details listed in that window. You can also reference the screen shot from my previous post.

Re: Cert for ASA

james.king14 — Mon, 13 Aug 2018 14:01:21 GMT

This is the same keypair name that is already saved into the ASA and used
with CSR. Does that not override the CSR I already have made for my
identity cert sent to third party provider?

Re: Cert for ASA

james.king14 — Mon, 13 Aug 2018 14:05:56 GMT

here is the