https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470486#M651946 <HTML><HEAD></HEAD><BODY><P>Hi Trent,</P><P></P><P>Can you try removing then reapplying the keypair "CA" in the trustpoint configuration then try enrolling it again?</P><P></P><P>Thanks,</P><P></P><P>Loren</P></BODY></HTML> Wed, 25 Aug 2010 02:34:23 GMT Loren Kolnes 2010-08-25T02:34:23Z https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470483#M651943 <P>I am tryin to generate a self signed certificate for Indentity Certificates, and keep coming up with the wrong domain name. The "Issued To" and "Issued by" both refer to the incorrect domain.</P><P></P><P>In the config, the correct domain name can be found in:</P><PRE><STRONG>domain-name </STRONG></PRE><PRE><STRONG>dns server-group DefaultDNS<BR />group-policy DefaultRAGroup attributes<BR />group-policy DefaultRAGroup_1 attributes</STRONG><BR /><BR />However, the incorrect domain name can not be found anywhere in the config. I have removed any and all <BR />certificates already issued. I see no configuration what so ever refering to any certificates, CA, Local-CA, <BR />trustpoints, etc..<BR /><BR />But when I go back again to create a new self signed Identity cert, I still get the OLD domain. If I go to advanced<BR />options I can fill out the FQDN and IP. The FQDN will be ASA5510.CorrectDomain.com. But of course what will be issued<BR />is ASA5510.NOTTHECORRECTONE.com<BR /><BR />The domain name that is showing up is one that was first used when the device arrived and I created an initial<BR />configuration just to get the device on a network to access. Since that time the original config has long since<BR />been erased with a brand new config added line by line. Yet still this ghost from the original keeps showing up.<BR />Where is it finding this?<BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /><BR /></PRE> Mon, 11 Mar 2019 18:30:13 GMT https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470483#M651943 TRENT WAITE 2019-03-11T18:30:13Z https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470484#M651944 <HTML><HEAD></HEAD><BODY><P>Hi Trent,</P><P></P><P>Can you tell me what version the ASA is running.</P><P>Can you also capture the following information:</P><P></P><P>show run all | inc [olddomainname]</P><P>sh run all cry ca trustpoint</P><P></P><P>Thanks</P><P></P><P>Loren</P></BODY></HTML> Wed, 25 Aug 2010 00:35:06 GMT https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470484#M651944 Loren Kolnes 2010-08-25T00:35:06Z https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470485#M651945 <HTML><HEAD></HEAD><BODY><P>ASA Version 8.2(3)</P><P></P><P>If I run "<STRONG>show run all | inc icontrol.com</STRONG>" I get no output. If I run "<STRONG>show run all</STRONG>" and then copy over to Wordpad and run a search I get nothing in reference to old domain, but do get references for the new domain.</P><P></P><P>In the attached txt file is the results of the "<STRONG>show run all</STRONG>". The old domain name is "icontrol.com". I replaced in the text file the new domain name with "icshxxx.com", however that is the only thing that was replaced. There is no reference what so ever to icontrol.com.</P><P></P><P>Yet after running this command, seeing no reference what so ever, I decided to say what the heck and tried it again. Sure enough the self created Identity Cert created had the domain name "<STRONG>icontrol.com</STRONG>", and not "icshxxx.com". However, if you look at the ADSM it clearly shows that the Issue to and Issue by as "<STRONG>ASA5510.icontrol.com</STRONG>". But running the "<STRONG>sh run all cry ca trustpoin</STRONG>t" shows nothing for Trustpoint0 in regards to the domain.</P><P></P><P>ASA5510# show run all | inc icontrol.com<BR />ASA5510# sh run all cry ca trustpoint<BR />crypto ca trustpoint ASDM_TrustPoint0<BR /> revocation-check none<BR /> enrollment retry period 1<BR /> enrollment retry count 0<BR /> enrollment self<BR /> <STRONG>no fqdn<BR /> no email</STRONG><BR /> subject-name CN=ASA5510<BR /> no serial-number<BR /> <STRONG>no ip-address</STRONG><BR /> no password<BR /> keypair CA<BR /> client-types ipsec ssl<BR /> accept-subordinates<BR /> id-cert-issuer<BR /> id-usage ssl-ipsec<BR /> no ignore-ipsec-keyusage<BR /> no ignore-ssl-keyusage<BR /> proxy-ldc-issuer<BR /> crl configure<BR />&nbsp; policy cdp<BR />&nbsp; cache-time 60<BR />&nbsp; enforcenextupdate<BR />&nbsp; protocol http<BR />&nbsp; protocol ldap<BR />&nbsp; protocol scep<BR />ASA5510#</P><P></P><P>I did clear the ASDM cache, and restarted ASDM. It still shows "<STRONG>ASA5510.icontrol.com</STRONG>" and not "<STRONG>ASA5510.icshrff.com</STRONG>". Also, if I go to the Advanced tab and enter in the FQDN, e-mail address, and IP address, it will not be applied.</P></BODY></HTML> Wed, 25 Aug 2010 01:14:50 GMT https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470485#M651945 TRENT WAITE 2010-08-25T01:14:50Z https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470486#M651946 <HTML><HEAD></HEAD><BODY><P>Hi Trent,</P><P></P><P>Can you try removing then reapplying the keypair "CA" in the trustpoint configuration then try enrolling it again?</P><P></P><P>Thanks,</P><P></P><P>Loren</P></BODY></HTML> Wed, 25 Aug 2010 02:34:23 GMT https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470486#M651946 Loren Kolnes 2010-08-25T02:34:23Z https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470487#M651947 <HTML><HEAD></HEAD><BODY><P>Thanks for your help Loren. I have the problem solved now, the solution was to reload the OS. I shut down the ASA last night, and had the CA's removed. Loaded up the ASA today, looked at the config and there was nothing relating to certs between isakmp crypto to SSH. I then used the ASDM to add a new Identity cert and it shows up with the correct domain.</P><P></P><P>I have a 5505 that had the same problem, and I did the same steps I used with this 5510. The 5505's issue was resolved when removing the CA's, certs,&nbsp; and Trustpoints, but I never had to reload or restart that unit. So it did not occur to me that doing this would solve the 5510's issue. Well one less issue to worrry about <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Wed, 25 Aug 2010 18:17:57 GMT https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470487#M651947 TRENT WAITE 2010-08-25T18:17:57Z https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470488#M651948 <HTML><HEAD></HEAD><BODY><P>Hi Trent,</P><P></P><P>Glad to hear you got this working.</P><P>Just FYI in my recreate removing and reapplying the keypair resolved this.</P><P></P><P>Thanks,</P><P></P><P>Loren</P></BODY></HTML> Wed, 25 Aug 2010 23:50:45 GMT https://community.cisco.com/t5/network-security/wrong-domain-for-self-signed-id-cert/m-p/1470488#M651948 Loren Kolnes 2010-08-25T23:50:45Z