Solved: How do I edit a digital certificate?

Scott Farwell · ‎02-13-2012

My VPN server downloads a digital certificate to VPN users. I think this cert has the wrong address for the server. How can I change the cert ip address?Or how can I stop the VPN server from requiring the cert? I think problem is from changing IP service providers and not changing the server address in the cert.

Marvin Rhoads · ‎02-14-2012

The IOS configuration guide covers certificates here. While you can create a new self-signed certificate on the router (typically used with https for web-based management - see this configuration guide), it's best to use either an internal CA or 3rd party public CA.

To turn it off, find where it's called out in your configuration. "show crypto ca certificates" will show you what certificates you have enrolled on the router. One of them should be called out in the VPN setup.

However, it's not just that simple. If they are being used for authentication and you remove them, they need to be replaced with something else - like a preshared key, reference to a user database (internal or external like LDAP or AD), etc. So it's a non-trivial task. You can get some idea of what's involved to setup certificates properly at this link.

If you're not comfortable working with the CLI, you might want to just setup a new VPN profile using the CCP GUI. Here is a link for that procedure.

View solution in original post

Marvin Rhoads · ‎02-14-2012

You can't edit a certificate directly. That's fundamental to how they are built as an identity assertion mechanism. You can generate and use a new one (preferred) or remove te use of them altogether (lowers your security).

The necessary steps depend on your equipment and connection type. Can you give us more details on your configuration?

Scott Farwell · ‎02-14-2012

I have a Cisco 2851 IOS router that my users connect to for VPN access. Initially they connect to my server via the WEBVPN SSLVPN Service. From there they start a tunnel connection. After connecting the first time they use the anyconnect client to start a vpn connection.

I would like to use a certificate to authenticate. Unfortunately I do not know how to generate and install one. If i can not generate/install a new certifacte then I would like to turn the use of it off.

USING:

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2)

Cisco ANYConnect VPN Client Version 2.5.3055

Marvin Rhoads · ‎02-14-2012

The IOS configuration guide covers certificates here. While you can create a new self-signed certificate on the router (typically used with https for web-based management - see this configuration guide), it's best to use either an internal CA or 3rd party public CA.

To turn it off, find where it's called out in your configuration. "show crypto ca certificates" will show you what certificates you have enrolled on the router. One of them should be called out in the VPN setup.

However, it's not just that simple. If they are being used for authentication and you remove them, they need to be replaced with something else - like a preshared key, reference to a user database (internal or external like LDAP or AD), etc. So it's a non-trivial task. You can get some idea of what's involved to setup certificates properly at this link.

If you're not comfortable working with the CLI, you might want to just setup a new VPN profile using the CCP GUI. Here is a link for that procedure.

Scott Farwell · ‎02-15-2012

I was able to generate new certificates with the correct ip in them from the links that you provided. I am able to connect through the WEBVPN connection.

Thank you!!

Marvin Rhoads · ‎02-15-2012

You're welcome. I'm glad you're back to normal with a valid certificate. Thanks for the rating.