Re: Adding GoDaddy cert to ASA5585-x

james.king14 · ‎08-16-2023

While trying to load new CA cert to ASA via ASDM found an issue. Manually installing CA cert, was able to add the CA cert but did not recognize the Identity Cert information. Using this document and still could not load certs since the Identity cert never showed up in ASDM. Followed instructions until step 11, afterwards nothing worked. I added a trustpoint to try to manually.

https://www.godaddy.com/help/manually-install-an-ssl-certificate-on-my-cisco-asa-5500-vpnfirewall-32070

balaji.bandi · ‎08-17-2023

what kind of cert for this ? for VPN ?

follow below guide :

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

james.king14 · ‎08-17-2023

Good Morning

Why yes it is for the VPN!

Marius Gunnerud · ‎08-17-2023

Have you downloaded and installed the CA certificate chain?

Run the following commands:

show crytpo ca trustpoints GD_2024

show crypto ca certificate GD_2024

if the ca trustpoint is showing as Not Authenticated you could try running "crypto ca authenticate GD_2024" without the quotes. This should bind the CA certificate to the identity certificate.

--
Please remember to select a correct answer and rate helpful posts

james.king14 · ‎08-17-2023

Marius,

That is the point it is showing that it is with GD_2024.

sh crypto ca trustpoints GD_2024

Trustpoint GD_2024:

Configured for self-signed certificate generation.

ASA# sh crypto ca cert GD_2024

Certificate

Status: Available

Certificate Serial Number: 5123f563

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA256 with RSA Encryption

Issuer Name:

hostname=srh-net-1111-105.sr.nws.noaa.gov

cn=srhvpn.srh.noaa.gov

ou=NWS

o=NOAA

c=US

st=TX

l=Fort Worth

e=james.king@noaa.gov

Subject Name:

hostname=asa.sr.nws.noaa.gov

cn=asa.srh.noaa.gov

ou=NWS

o=NOAA

c=US

st=TX

l=Fort Worth

e=james.king@noaa.gov

Validity Date:

start date: 13:51:55 UTC Jul 5 2023

end date: 13:51:55 UTC Jul 2 2033

Storage: config

Associated Trustpoints: GD_2024

Marius Gunnerud · ‎08-17-2023

First off, I just assumed that this is the certificate you were talking about as it was highlighted and from the name. From the looks of it you have created a self-signed certificate as there is no Issuer Name. I would expect to see GoDaddy in the Issuer Name section.

How did you create the CSR ? and did you get it signed by GoDaddy yourself or did you send it to someone else to do the signing?

--
Please remember to select a correct answer and rate helpful posts

james.king14 · ‎08-17-2023

Marius,

I created the self sign after I got the GoDaddy bundle, because the
identity cert appear. Yes I did a self signing for this. Should I delete
this one and add a new one? Please advise!

Marius Gunnerud · ‎08-17-2023

Since it seems like you want to use a 3rd party cert for the VPN connections, I would suggest creating a new CSR, get it signed by GoDaddy, and then download the signed identity cert along with the full certificate chain (i.e. any and all root, intermediate and subordinate certificates). First import all the CA trusted certificates, and then complete the CSR binding. I suggest doing all this via the ASDM as it is a much easier process.

Once you have imported the identity certificate, you can replace the certificate currently being used by AnyConnect and then test the connection.

--
Please remember to select a correct answer and rate helpful posts