cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
7239
Views
5
Helpful
26
Replies

Cert for ASA

james.king14
Level 1
Level 1

Hello ,

 

we have a ASA5585-x that has our VPN.  Recently we started get the "Invaild Cert" when users connect.  I brought a new Godaddy Cert and had one of the other tech install the information.  After doing the CSR for the ASA and getting the Godaddy bundle we are still have that problem.  I have checked the identity cert and found only self-signed certs.  In my ca cert section I see the Godaddy cert!  I have the document on installing cert so what am I missing?

26 Replies 26

Could you detail how you are generating your CSR/Key Pair in step one by providing a screen shot of the following?

 

Image attached.

Here are the errors

I understand those are the errors, but I'm trying to determine which key pair you're using to generate your request.

 

If you go to Device Management>Certificate Management>Identity Management and then select "Add" in the top right a new window should appear.  In that window, if you select the radio button for "Add a new identity certificate", select the Key Pair you used to generate the CSR and then select "Show", that will show details of the Key Pair.

 

I'm looking for the first four details listed in that window.  You can also reference the screen shot from my previous post.

This is the same keypair name that is already saved into the ASA and used
with CSR. Does that not override the CSR I already have made for my
identity cert sent to third party provider?




here is the 

Within the ASA when I run the sh crypto key mypubkey I see the SRHASA2 key, along with several others.

 

 

Key pair was generated at: 12:33:11 UTC Aug 13 2018
Key name: SRHASA2
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:

30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00c484d7 fd771ff5 051d2a4a a06a3219 f868ccbd 8c973081 f40e1f45 ebb9c6eb
f5e4cbd4 196f6a19 666757f5 40657d33 4750fc9f 7e591fe6 8db4dfd4 dd73e6d7
01d9a8b3 54e61327 661b441a b25d4fc5 a949ecd7 0b0b2167 b61e4e88 d77281be
a662641f 7592639e 6ab1d9b8 32d345f6 a110ae20 6e942450 b3238d52 fb0fae23
7d97a2ab b5717ffc e4f1154e 2c3f6b10 9142eb67 9b9a5d99 3541143b d67033c9
15ccab74 f6928878 96d990c8 d0372034 93958675 71825b77 2048d768 dd70123a
a394b843 11c10509 6bf645cd 587eb2cc 984bb3ea 7e973b6c 9750aa20 fb4fd1f9
e5f39cd3 ebeaf8c1 cc99650c db24d7be 0d2bd62b 1794f6d8 362256d3 6421b73d
fd020301 0001

 

 

Hi
Are you sure that you did pointed this key and the correct CN when generating the CSR request ?
Regards

That is one of my question. I see the default DNS of the ASA as one name
and the webvpn has another DNS name. So when I do a CSR as the Web DNS
name which one is actually being seen.


I did the CSR request as my cn name.  Yet when I look in the CLI I see my trustpoint for the new CSR as a different cn.  Could that be the problem.  My ASA has a DNS name of something different than my VPN webpage?

Certificate
  Subject Name:
    Name: srh-net-1111-105.srh.noaa.gov  (This is the name of the device not the CN of the CSR)
  Status: Pending terminal enrollment
  Key Usage: General Purpose
  Fingerprint:  d00f0fb2 6a9312bc 36eeea2c 2a8f9840
  Associated Trustpoint: ASDM_TrustPoint1          (Same TP as CSR and CA)
Certificate
  Subject Name:
    Name: srh-net-1111-105.srh.noaa.gov
  Status: Pending terminal enrollment
  Key Usage: General Purpose
  Fingerprint:  aaf893b0 36351f49 4ae08ac1 8b4913e6
  Associated Trustpoint: ASDM_TrustPoint4
srh-net-1111-105#
  75020301 0001
Key pair was generated at: 12:33:11 UTC Aug 13 2018
Key name: SRHASA2
 Usage: General Purpose Key
 Modulus Size (bits): 2048
 Key Data:
  30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
  00c484d7 fd771ff5 051d2a4a a06a3219 f868ccbd 8c973081 f40e1f45 ebb9c6eb
  f5e4cbd4 196f6a19 666757f5 40657d33 4750fc9f 7e591fe6 8db4dfd4 dd73e6d7
  01d9a8b3 54e61327 661b441a b25d4fc5 a949ecd7 0b0b2167 b61e4e88 d77281be
  a662641f 7592639e 6ab1d9b8 32d345f6 a110ae20 6e942450 b3238d52 fb0fae23
  7d97a2ab b5717ffc e4f1154e 2c3f6b10 9142eb67 9b9a5d99 3541143b d67033c9
  15ccab74 f6928878 96d990c8 d0372034 93958675 71825b77 2048d768 dd70123a
  a394b843 11c10509 6bf645cd 587eb2cc 984bb3ea 7e973b6c 9750aa20 fb4fd1f9
  e5f39cd3 ebeaf8c1 cc99650c db24d7be 0d2bd62b 1794f6d8 362256d3 6421b73d
  fd020301 0001
 
 
Actual CA from godaddy with correct TP
srh-net-1111-105#   sh crypto ca cert
CA Certificate
  Status: Available
  Certificate Serial Number: 00ce6acee157887d48
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name:
    cn=Go Daddy Secure Certificate Authority - G2
    ou=http://certs.godaddy.com/repository/
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
  Subject Name:
    cn=srhvpn.srh.noaa.gov
    ou=Domain Control Validated
  OCSP AIA:
    URL: http://ocsp.godaddy.com/
  CRL Distribution Points:
    [1]  http://crl.godaddy.com/gdig2s1-727.crl
  Validity Date:
    start date: 19:36:00 UTC Oct 3 2017
    end   date: 19:36:00 UTC Oct 3 2019
  Associated Trustpoints: ASDM_TrustPoint1
 

Now I removed and made another TP and still that default name (CN) is located on Identity Cert.  Anyway of changing this information?

WoW after rereading that last post about the CN I found my issue.  In the Advanced Option on making the Identity Cert there is the certificate Parameter that needs to be changed.  By default is uses the DNS of the Device.  I had to change that to the DNS of the VPN to make it work.

Review Cisco Networking for a $25 gift card