Solved: Re: Cert for ASA

james.king14 · ‎08-09-2018

Hello ,

we have a ASA5585-x that has our VPN. Recently we started get the "Invaild Cert" when users connect. I brought a new Godaddy Cert and had one of the other tech install the information. After doing the CSR for the ASA and getting the Godaddy bundle we are still have that problem. I have checked the identity cert and found only self-signed certs. In my ca cert section I see the Godaddy cert! I have the document on installing cert so what am I missing?

james.king14 · ‎08-13-2018

WoW after rereading that last post about the CN I found my issue. In the Advanced Option on making the Identity Cert there is the certificate Parameter that needs to be changed. By default is uses the DNS of the Device. I had to change that to the DNS of the VPN to make it work.

View solution in original post

croll9898 · ‎08-09-2018

Here's a great article for setting up the certificate.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Without knowing you're full configuration, I would verify the following:

1. You have a DNS entry for the FQDN on the certificate.

2. Verify the correct certificate is configured on the correct interface (Configuration>Remote Access VPN>Advanced>SSL Settings)

3. Verify you're users are going to the FQDN on the certificate and not the public IP or a different FQDN.

james.king14 · ‎08-09-2018

Thanks for the quick reply.

all of those settings have been triple checked. I think my issue is that the old CA cert was changed and is being used as the default. The naming convention for the ASA is the same but different since we had a name change. I am contacting Godaddy to get rekeyed. That way I can start from the beginning.

Dennis Mink · ‎08-09-2018

have you verified that the client that try to connect have all the intermediate certs that are used in the new Godaddy cert?

Please remember to rate useful posts, by clicking on the stars below.

james.king14 · ‎08-10-2018

Hi Dennis,

Yes all client have the intermediate cert loaded on deivice.

Marvin Rhoads · ‎08-09-2018

Your site https://srhvpn.srh.noaa.gov/ is currently showing the certificate from the SRH root CA, not the one from GoDaddy.

Check that you have bound the GoDaddy certificate to the outside interface:

ssl trust-point ASDM_TrustPoint7 outside

(assuming the nameif is "outside")

james.king14 · ‎08-10-2018

Marvin,

That is the real issue. I have rekeyed the ASA with the godaddy cert this
morning and still get the same error

Jerome BERTHIER · ‎08-10-2018

Hi

Does the CA certificat contain a chain of certicate (CA root and subsequent CA intermediate) ?

If yes than you have to install all certificate in this chain separetely in the ASA under Configuration > Device Management > Certificate Management > CA Certificates.

If you installed the CA certificate containing the chain, I guess it won't be recognized on clients.

Regards

james.king14 · ‎08-10-2018

Jerome,

Thanks for the reply,

I have made sure that the CA chain is there on the ASA and the laptop. At
the moment the problem is loading the new cert.

Jerome BERTHIER · ‎08-10-2018

Yes but

1) did you install a single CA certificate concatening the chain from root to the final intermediate CA ?

2) or did you install each CA certificate needed from root to the final intermediate CA ?

To my mind, the good option to get it working is the option 2.

Regards

james.king14 · ‎08-10-2018

Jerome,

If I am correct when using GoDaddy you have to install one in the CA cert
(which is the bundle ) and the other cert under Identity! Please correct
me if I am wrong, but when using the ASDM you only have those options.

james.king14 · ‎08-10-2018

croll9898 · ‎08-10-2018

Check out this article to verify you're generating the correct request (General Usage vs Usage Key)

https://community.cisco.com/t5/other-security-subjects/problems-importing-ssl-certificate-to-asa-7-2/td-p/905671

On a side note, what type of machines will be utilizing the VPN? We're using an internally generated certificate (similar to the current certificate on srhvpn.srh.noaa.gov) since our policy is only Active Directory Domain joined machines can access our AnyConnect VPN. In that case, you can use Group Policy to install the SR Root CA on each machine and that should fix the trust issue.

You can also test this out by installing the SR Root CA locally (which I did and I'm no longer getting the error).

Jerome BERTHIER · ‎08-10-2018

Its quite simple to install a certificate :

1) generate a CSR request (and a key pair if needed)

2) go to sign it from your SSL certificate provider

3) install each CA certificate :

Configuration > Device Management > Certificate Management > CA Certificates

4) install server certificate (signed from your SSL certificate provider) :

Configuration > Device Management > Certificate Management > Identity Certificates

5) choose the new certificate to apply it to your SSL interface :

Configuration > Remote Access VPN > Advanced > SSL Settings

On step 3, I think that you cannot use a single CA certificate file if it contains more than one CA certificate (chain bundle).

Instead, you have to retreive each CA certificate depending on which root signed your server certificate :

https://certs.godaddy.com/repository/

Then import each one.

If the chain contains for example, three certs : CA root, CA intermediate 1 (signed from CA root) and CA intermediate 2 (signed from CA intermediate 1) then you should have those three certificates separately under Certificate Management > CA Certificates.

Regards

james.king14 · ‎08-10-2018

Jerome,

After following the prescribed settings for adding the Identity cert. Step #4 is where I am having the issue. I even tried to paste the base-64 into the box. Still says that the failed to parse data and that the public Key is