Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
5
Helpful
1
Replies

ASA Secure LDAP chained certs from Server 2012

lcaruso
Level 6
Level 6

‎01-26-2021 11:45 AM - edited ‎01-26-2021 01:35 PM

We thought this was going to be a relatively easy fix to get Secure LDAP up again after ASA upgrade. 

 

Recently upgraded an ASA5525 to 9.14.2 and AnyConnect authentication was impacted by cert requirement according the 9.13 release notes we need a cert from the Windows Server 2012 domain controller. First, I was provided a wildcard cert from the server and the serial numbers did not match. Then, I was provided a chained cert (two certs) from the server in .cer format. I tried importing them but got errors below at bottom.

 

Questions: 

(1) Does the ASA support a chained cert (two cert files) from Windows Server 2012?

(2) What format cert files should be provided?

(3) Do the certs need private key, public keys, or general keys?

 

f(config)# crypto ca import SECURE_LDAP certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: y

% The fully-qualified domain name in the certificate will be: <edit>

Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
<edit>
-----END CERTIFICATE-----
quit

Cannot import certificate -
Certificate does not contain device's Signature public key
for trust point SECURE_LDAP
ERROR: Failed to parse or verify imported certificate

f(config)# crypto ca import SECURE_LDAP certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: y

% The fully-qualified domain name in the certificate will be: <edit>

Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
<edit>
-----END CERTIFICATE-----
quit

Cannot import certificate -
Certificate does not contain device's General Purpose public key
for trust point SECURE_LDAP
ERROR: Failed to parse or verify imported certificate

 

Thanks much to anyone who can help.  

0 Helpful
1 Reply 1

MHM Cisco World
VIP
VIP

‎01-26-2021 01:02 PM

...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card