cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


908
Views
5
Helpful
26
Replies
Beginner

Cert for ASA

Hello ,

 

we have a ASA5585-x that has our VPN.  Recently we started get the "Invaild Cert" when users connect.  I brought a new Godaddy Cert and had one of the other tech install the information.  After doing the CSR for the ASA and getting the Godaddy bundle we are still have that problem.  I have checked the identity cert and found only self-signed certs.  In my ca cert section I see the Godaddy cert!  I have the document on installing cert so what am I missing?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Cert for ASA

WoW after rereading that last post about the CN I found my issue.  In the Advanced Option on making the Identity Cert there is the certificate Parameter that needs to be changed.  By default is uses the DNS of the Device.  I had to change that to the DNS of the VPN to make it work.

26 REPLIES 26
Beginner

Re: Cert for ASA

Here's a great article for setting up the certificate.

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

Without knowing you're full configuration, I would verify the following:

1.  You have a DNS entry for the FQDN on the certificate.

2.  Verify the correct certificate is configured on the correct interface (Configuration>Remote Access VPN>Advanced>SSL Settings)

3.  Verify you're users are going to the FQDN on the certificate and not the public IP or a different FQDN.

 

 

Beginner

Re: Cert for ASA

Thanks for the quick reply.  

all of those settings have been triple checked.  I think my issue is that the old CA cert was changed and is being used as the default.  The naming convention for the ASA is the same but different since we had a name change.  I am contacting Godaddy to get rekeyed.  That way I can start from the beginning.   

VIP Advisor

Re: Cert for ASA

have you verified that the client that try to connect have all the intermediate certs that are used in the new Godaddy cert?

Please remember to rate useful posts, by clicking on the stars below.

Beginner

Re: Cert for ASA

Hi Dennis,



Yes all client have the intermediate cert loaded on deivice.


Hall of Fame Master

Re: Cert for ASA

Your site https://srhvpn.srh.noaa.gov/ is currently showing the certificate from the SRH root CA, not the one from GoDaddy.

 

Check that you have bound the GoDaddy certificate to the outside interface:

 

ssl trust-point ASDM_TrustPoint7 outside

(assuming the nameif is "outside")

 

Beginner

Re: Cert for ASA

Marvin,



That is the real issue. I have rekeyed the ASA with the godaddy cert this
morning and still get the same error


Re: Cert for ASA

Hi

 

Does the CA certificat contain a chain of certicate (CA root and subsequent CA intermediate) ?

If yes than you have to install all certificate in this chain separetely in the ASA under Configuration > Device Management > Certificate Management > CA Certificates.

If you installed the CA certificate containing the chain, I guess it won't be recognized on clients.

 

Regards

Everyone's tags (4)
Beginner

Re: Cert for ASA

Jerome,



Thanks for the reply,



I have made sure that the CA chain is there on the ASA and the laptop. At
the moment the problem is loading the new cert.


Highlighted

Re: Cert for ASA

Yes but

1) did you install a single CA certificate concatening the chain from root to the final intermediate CA ?

2) or did you install each CA certificate needed from root to the final intermediate CA ?


To my mind, the good option to get it working is the option 2.


Regards

 

 

Beginner

Re: Cert for ASA

Jerome,



If I am correct when using GoDaddy you have to install one in the CA cert
(which is the bundle ) and the other cert under Identity! Please correct
me if I am wrong, but when using the ASDM you only have those options.






Beginner

Re: Cert for ASA

 
Beginner

Re: Cert for ASA

Check out this article to verify you're generating the correct request (General Usage vs Usage Key)

 

https://community.cisco.com/t5/other-security-subjects/problems-importing-ssl-certificate-to-asa-7-2/td-p/905671

 

On a side note, what type of machines will be utilizing the VPN?  We're using an internally generated certificate (similar to the current certificate on srhvpn.srh.noaa.gov) since our policy is only Active Directory Domain joined machines can access our AnyConnect VPN.  In that case, you can use Group Policy to install the SR Root CA on each machine and that should fix the trust issue.

 

You can also test this out by installing the SR Root CA locally (which I did and I'm no longer getting the error).

 

 

 

 

Re: Cert for ASA

Its quite simple to install a certificate :

1) generate a CSR request (and a key pair if needed)

2) go to sign it from your SSL certificate provider

3) install each CA certificate :

Configuration > Device Management > Certificate Management > CA Certificates

4) install server certificate (signed from your SSL certificate provider) :

Configuration > Device Management > Certificate Management > Identity Certificates

5) choose the new certificate to apply it to your SSL interface :

Configuration > Remote Access VPN > Advanced > SSL Settings

 

On step 3, I think that you cannot use a single CA certificate file if it contains more than one CA certificate (chain bundle).

Instead, you have to retreive each CA certificate depending on which root signed your server certificate :

https://certs.godaddy.com/repository/

Then import each one.

If the chain contains for example, three certs : CA root, CA intermediate 1 (signed from CA root) and CA intermediate 2 (signed from CA intermediate 1) then you should have those three certificates separately under Certificate Management > CA Certificates.

 

Regards

Beginner

Re: Cert for ASA

Jerome,

 

After following the prescribed settings for adding the Identity cert.  Step #4 is where I am having the issue.  I even tried to paste the base-64  into the box.  Still says that the failed to parse data and that the public Key is