Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5003
Views
5
Helpful
2
Replies

ASA: Problems when a certificate for AnyConnect users expired

swscco001
Level 3
Level 3

‎07-11-2021 12:53 AM - edited ‎07-11-2021 12:54 AM

Hello everybody,

 

today I have a problem with certificates on the ASA running 9.8(4)32
for AnyConnect (4.9.05042) users.

 

The self-signed certificate expired recently and since that time the
AnyConnect users get the AnyConnect "Security Warning: Untrusted Server Certificate"
(see attached). The customer clicked 'Connect anyway' and could login.

 

I indicated the properties of the expired certificate and generated
a new self-signed certificate with same properties Common Name (CN) etc.
following the guide on:
https://asame2.blogspot.com/2018/06/how-to-generate-self-signed-certificate.html
with expiry date in 2031 and assigned it to the outside interface.

 

At next login attempt the customer gets the AnyConnect "Security Warning:
Untrusted Server Certificate" again but this time with option to import
the certificate (see attached).

 

But when he chosed this option and clicked 'Connect anyway' he could not
login at all anymore.

 

I assigned the expired certificate to the outside interface and then the
customer could login in again after clicking 'Connect anyway'.

 

My questions:

1. Is tere a relation between the Common Name (CN) and the VPN server
that the user has in the AnyConnect client before he click 'Connect'?

 

2. Could it be that the import did not work correctly that way?

 

3. Is there a step to step guide what's to do when a certificate
expired?

 

Every hint is very welcome.

 

Thanks a lot!


Bye
R.

Preview file
58 KB
Preview file
54 KB
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎07-11-2021 01:39 AM - edited ‎07-12-2021 01:26 AM

You are use Dynadns as FQDN ? do you have Public Cert for this ?

 

if you are using self signed, the Certificate need to be pushed to all clients, this is mostly done with your Centralised Windows update system what you have.

 

or user need to  check that box and install cert so  user will not get any error. (this is not recommended)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-11-2021 07:16 PM - edited ‎07-11-2021 07:17 PM

Generally speaking, we should never use a self-signed certificate outside of a lab environment. So replacing the expired certificate from a known Certificate Authority (CA) with a self-signed one is not a recommended practice.

The correct practice would be to either:

a. renew the certificate from the same CA or

b. generate a new Certificate Signing Request (CSR), submit it the CA, get a new CA-issued certificate and install it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card