Solved: Re: Cert for ASA - Page 2

james.king14 · ‎08-09-2018

Hello ,

we have a ASA5585-x that has our VPN. Recently we started get the "Invaild Cert" when users connect. I brought a new Godaddy Cert and had one of the other tech install the information. After doing the CSR for the ASA and getting the Godaddy bundle we are still have that problem. I have checked the identity cert and found only self-signed certs. In my ca cert section I see the Godaddy cert! I have the document on installing cert so what am I missing?

croll9898 · ‎08-13-2018

Could you detail how you are generating your CSR/Key Pair in step one by providing a screen shot of the following?

Image attached.

james.king14 · ‎08-13-2018

Here are the errors

croll9898 · ‎08-13-2018

I understand those are the errors, but I'm trying to determine which key pair you're using to generate your request.

If you go to Device Management>Certificate Management>Identity Management and then select "Add" in the top right a new window should appear. In that window, if you select the radio button for "Add a new identity certificate", select the Key Pair you used to generate the CSR and then select "Show", that will show details of the Key Pair.

I'm looking for the first four details listed in that window. You can also reference the screen shot from my previous post.

james.king14 · ‎08-13-2018

This is the same keypair name that is already saved into the ASA and used
with CSR. Does that not override the CSR I already have made for my
identity cert sent to third party provider?

james.king14 · ‎08-13-2018

here is the

james.king14 · ‎08-13-2018

Within the ASA when I run the sh crypto key mypubkey I see the SRHASA2 key, along with several others.

Key pair was generated at: 12:33:11 UTC Aug 13 2018
Key name: SRHASA2
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:

30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00c484d7 fd771ff5 051d2a4a a06a3219 f868ccbd 8c973081 f40e1f45 ebb9c6eb
f5e4cbd4 196f6a19 666757f5 40657d33 4750fc9f 7e591fe6 8db4dfd4 dd73e6d7
01d9a8b3 54e61327 661b441a b25d4fc5 a949ecd7 0b0b2167 b61e4e88 d77281be
a662641f 7592639e 6ab1d9b8 32d345f6 a110ae20 6e942450 b3238d52 fb0fae23
7d97a2ab b5717ffc e4f1154e 2c3f6b10 9142eb67 9b9a5d99 3541143b d67033c9
15ccab74 f6928878 96d990c8 d0372034 93958675 71825b77 2048d768 dd70123a
a394b843 11c10509 6bf645cd 587eb2cc 984bb3ea 7e973b6c 9750aa20 fb4fd1f9
e5f39cd3 ebeaf8c1 cc99650c db24d7be 0d2bd62b 1794f6d8 362256d3 6421b73d
fd020301 0001

Jerome BERTHIER · ‎08-13-2018

Hi
Are you sure that you did pointed this key and the correct CN when generating the CSR request ?
Regards

james.king14 · ‎08-13-2018

That is one of my question. I see the default DNS of the ASA as one name
and the webvpn has another DNS name. So when I do a CSR as the Web DNS
name which one is actually being seen.

james.king14 · ‎08-13-2018

I did the CSR request as my cn name. Yet when I look in the CLI I see my trustpoint for the new CSR as a different cn. Could that be the problem. My ASA has a DNS name of something different than my VPN webpage?

Certificate
Subject Name:
Name: srh-net-1111-105.srh.noaa.gov (This is the name of the device not the CN of the CSR)
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: d00f0fb2 6a9312bc 36eeea2c 2a8f9840
Associated Trustpoint: ASDM_TrustPoint1 (Same TP as CSR and CA)

Certificate
Subject Name:
Name: srh-net-1111-105.srh.noaa.gov
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: aaf893b0 36351f49 4ae08ac1 8b4913e6
Associated Trustpoint: ASDM_TrustPoint4

srh-net-1111-105#
75020301 0001
Key pair was generated at: 12:33:11 UTC Aug 13 2018
Key name: SRHASA2
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:

30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00c484d7 fd771ff5 051d2a4a a06a3219 f868ccbd 8c973081 f40e1f45 ebb9c6eb
f5e4cbd4 196f6a19 666757f5 40657d33 4750fc9f 7e591fe6 8db4dfd4 dd73e6d7
01d9a8b3 54e61327 661b441a b25d4fc5 a949ecd7 0b0b2167 b61e4e88 d77281be
a662641f 7592639e 6ab1d9b8 32d345f6 a110ae20 6e942450 b3238d52 fb0fae23
7d97a2ab b5717ffc e4f1154e 2c3f6b10 9142eb67 9b9a5d99 3541143b d67033c9
15ccab74 f6928878 96d990c8 d0372034 93958675 71825b77 2048d768 dd70123a
a394b843 11c10509 6bf645cd 587eb2cc 984bb3ea 7e973b6c 9750aa20 fb4fd1f9
e5f39cd3 ebeaf8c1 cc99650c db24d7be 0d2bd62b 1794f6d8 362256d3 6421b73d
fd020301 0001

Actual CA from godaddy with correct TP

srh-net-1111-105#   sh crypto ca cert
CA Certificate
Status: Available
Certificate Serial Number: 00ce6acee157887d48
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
    cn=Go Daddy Secure Certificate Authority - G2
    ou=http://certs.godaddy.com/repository/
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
Subject Name:
    cn=srhvpn.srh.noaa.gov
    ou=Domain Control Validated
OCSP AIA:
    URL: http://ocsp.godaddy.com/
CRL Distribution Points:
    [1] http://crl.godaddy.com/gdig2s1-727.crl
Validity Date:
    start date: 19:36:00 UTC Oct 3 2017
    end   date: 19:36:00 UTC Oct 3 2019
Associated Trustpoints: ASDM_TrustPoint1

james.king14 · ‎08-13-2018

Now I removed and made another TP and still that default name (CN) is located on Identity Cert. Anyway of changing this information?

croll9898 · ‎08-13-2018

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Are you adding the correct CN under the following locations (Attached Image)?

james.king14 · ‎08-13-2018

WoW after rereading that last post about the CN I found my issue. In the Advanced Option on making the Identity Cert there is the certificate Parameter that needs to be changed. By default is uses the DNS of the Device. I had to change that to the DNS of the VPN to make it work.