we have a ASA5585-x that has our VPN. Recently we started get the "Invaild Cert" when users connect. I brought a new Godaddy Cert and had one of the other tech install the information. After doing the CSR for the ASA and getting the Godaddy bundle we are still have that problem. I have checked the identity cert and found only self-signed certs. In my ca cert section I see the Godaddy cert! I have the document on installing cert so what am I missing?
Solved! Go to Solution.
WoW after rereading that last post about the CN I found my issue. In the Advanced Option on making the Identity Cert there is the certificate Parameter that needs to be changed. By default is uses the DNS of the Device. I had to change that to the DNS of the VPN to make it work.
Here's a great article for setting up the certificate.
Without knowing you're full configuration, I would verify the following:
1. You have a DNS entry for the FQDN on the certificate.
2. Verify the correct certificate is configured on the correct interface (Configuration>Remote Access VPN>Advanced>SSL Settings)
3. Verify you're users are going to the FQDN on the certificate and not the public IP or a different FQDN.
Thanks for the quick reply.
all of those settings have been triple checked. I think my issue is that the old CA cert was changed and is being used as the default. The naming convention for the ASA is the same but different since we had a name change. I am contacting Godaddy to get rekeyed. That way I can start from the beginning.
have you verified that the client that try to connect have all the intermediate certs that are used in the new Godaddy cert?
Your site https://srhvpn.srh.noaa.gov/ is currently showing the certificate from the SRH root CA, not the one from GoDaddy.
Check that you have bound the GoDaddy certificate to the outside interface:
ssl trust-point ASDM_TrustPoint7 outside
(assuming the nameif is "outside")
Does the CA certificat contain a chain of certicate (CA root and subsequent CA intermediate) ?
If yes than you have to install all certificate in this chain separetely in the ASA under Configuration > Device Management > Certificate Management > CA Certificates.
If you installed the CA certificate containing the chain, I guess it won't be recognized on clients.
1) did you install a single CA certificate concatening the chain from root to the final intermediate CA ?
2) or did you install each CA certificate needed from root to the final intermediate CA ?
To my mind, the good option to get it working is the option 2.
Check out this article to verify you're generating the correct request (General Usage vs Usage Key)
On a side note, what type of machines will be utilizing the VPN? We're using an internally generated certificate (similar to the current certificate on srhvpn.srh.noaa.gov) since our policy is only Active Directory Domain joined machines can access our AnyConnect VPN. In that case, you can use Group Policy to install the SR Root CA on each machine and that should fix the trust issue.
You can also test this out by installing the SR Root CA locally (which I did and I'm no longer getting the error).
Its quite simple to install a certificate :
1) generate a CSR request (and a key pair if needed)
2) go to sign it from your SSL certificate provider
3) install each CA certificate :
Configuration > Device Management > Certificate Management > CA Certificates
4) install server certificate (signed from your SSL certificate provider) :
Configuration > Device Management > Certificate Management > Identity Certificates
5) choose the new certificate to apply it to your SSL interface :
Configuration > Remote Access VPN > Advanced > SSL Settings
On step 3, I think that you cannot use a single CA certificate file if it contains more than one CA certificate (chain bundle).
Instead, you have to retreive each CA certificate depending on which root signed your server certificate :
Then import each one.
If the chain contains for example, three certs : CA root, CA intermediate 1 (signed from CA root) and CA intermediate 2 (signed from CA intermediate 1) then you should have those three certificates separately under Certificate Management > CA Certificates.