Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
0
Helpful
5
Replies

Certificate Error during Posture Unknown State

AIN UL BADAR
Level 4
Level 4

‎02-05-2019 01:21 PM

Hello folks,

I'm getting the attached error cert message/warning the moment I open up IE on Windows 10. I'm doing Posture with ISE 2.4. 

The Switch pushes the redirect URL and AnyConnect pops-up an option to choose the browser i.e. either IE or Chrome. 

When I open up IE, it shows this error message. This error is confusing to me, because ISE and the website in the image IE is automatically trying to open up, are both provisioned Certificates by the same Sub-CA. 

Sub-CA and Root CA are Internal CAs, and are Trusted by IE in it's Certificate store as "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" respectively.

How can I fix the it. 

Appreciate the help.

Thanks

Ain

Preview file
355 KB
0 Helpful
5 Replies 5

AIN UL BADAR
Level 4
Level 4

‎02-05-2019 01:28 PM

Error Code: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎02-05-2019 01:28 PM

Look in the certificate details. It's likely that "blueflash.bankoh.net" is not present as a Subject Alternative Name (SAN).

The cert needs to be signed for any URL you use, not just the server hostnames that present it.
0 Helpful

AIN UL BADAR
Level 4
Level 4
In response to Damien Miller

‎02-05-2019 03:52 PM - edited ‎02-05-2019 04:18 PM

Thank you. I mistakenly hit the Solution button. The problem is still there.

 

Found out that the website has wildcard in the CN field. I read in the documentation that microsoft doesn't support certificates with wildcards in the CN field, instead the cert can have wildcard in the SAN field.

BUT, this is not the problem, because when we browse internally to that website (without Posture/redirect), it doesn't throw any error message. Then Why it is sending a warning message upon redirect?

 

Thanks for your help.

Ain

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to AIN UL BADAR

‎02-05-2019 08:19 PM

There have been issues with microsoft workstations that have the wild card in the CN, so it is definitely not recommended. I have used them successfully in deployments with the wild card in the SAN.

Can you share a couple screenshots of the certificate details, specifically the Subject field and the Subject Alternative Name field?
0 Helpful

AIN UL BADAR
Level 4
Level 4
In response to Damien Miller

‎02-06-2019 11:52 AM - edited ‎02-06-2019 11:57 AM

Attached are the Certs. One from the website (that endpoint automatically tries to go to upon URL Redirect) and the other one if from ISE.

Sorry had to mask the details little bit, but I hope you'll get the point.

Let me know if you need anything else.

Thanks for your help.

AinISE System Cert.PNGBlueflash Cert 1.PNGBlueflash Cert 2.PNG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents