Solved: Hi David, Thanks for your

dhruvas01 · ‎04-07-2015

Hi,

Any one pls share the steps to find out the status/validity of VPN Client certificate in CISCO ASA Firewall.

Regards,

Dhruva S.

David Johan Castro Fernandez · ‎04-08-2015

Hi Dhruva,

Actually it works using the MMC. The steps to follow:

* Start -> Type MMC

* Once it is opened -> Click on File -> then Add/Remove Snap-in..

* You will see the available Snap-In, click on Certificates and Add

* Then you will be prompted for 3 Options (My User Account, Service Account, Computer Account), if the certificate is installed on the Personal Store -> click on My User Account, if it is installed on the Machine store -> Click on Computer Account.

* After doing this you will be able to see either the current User certificates or the Machine and see the certificate installed. (Double click on the certificate and you will see the details of it)

Please proceed to rate and mark as correct this Post!

David Castro,

Regards,

View solution in original post

Andre Neethling · ‎04-08-2015

Hi. If you are using a certificate assigned to a user, try this.

On the windows pc while logged in with the user account Open mmc.exe. click "file" then "add remove snap in" then in the list, select certificates. In the wizard select "my user account". Then finish and OK. Then expand the " personal " certificate store. Then click on the "certificates" folder. You can then select the user certificate and review validity.

If you are using a certificate assigned to a computer. During the adding of the certificate snap in, select "computer account". And after select " this computer", then Follow the same steps as above to review the certificate.

EDIT: POSTED AT THE SAME TIME☺

View solution in original post

David Johan Castro Fernandez · ‎04-07-2015

Hi,

Actually this is not really clear, I don't know if you are referring about the SSL certificate or if this is related to Certificate based authentiication.

Either ways I am going to explain you both.

SSL certificate (Identity certificate placed on the outside interface).

On the CLI you can run this show commands:

Show run all sll --> with this show command you will identify which is the trustpoint applied on the putside interface.

After Identifying the trustpoint name:

show crypto ca certificate <Trustpoint name> -> With this you will be able to see the information of the SSL certificate= validity, Subject names...

-------------------------------------------------------------------------------------------------------------------------

Certificate Based Authentication:

On the CLI you will need to see the CA certificate installed:

Show crypto ca certificate -> There you will be able to see the CA certificates and identify the CA used for the Certificate authentication.

On the End user, if is a Windows Computer:

Start-> type certmgr.exe Check if the Personal store or the Machine Store, to see if the Identity certificate is installed after that double click on the certificate and you will be able to see the details.

Let me know if you have any oher question!

Please procced to rate and mark as correct the helpful Post!

David Castro,

Regards,

dhruvas01 · ‎04-08-2015

Hi David,

Thanks for your useful info.

I am looking for the steps to check the certificate validity of an individual user.

In my system, certmgr.exe is not installed. Can we check the same using Microsoft Mgnt Console (MMC), If yes please let me know the steps.

Regards,

Dhruva S.

David Johan Castro Fernandez · ‎04-08-2015

Hi Dhruva,

Actually it works using the MMC. The steps to follow:

* Start -> Type MMC

* Once it is opened -> Click on File -> then Add/Remove Snap-in..

* You will see the available Snap-In, click on Certificates and Add

* Then you will be prompted for 3 Options (My User Account, Service Account, Computer Account), if the certificate is installed on the Personal Store -> click on My User Account, if it is installed on the Machine store -> Click on Computer Account.

* After doing this you will be able to see either the current User certificates or the Machine and see the certificate installed. (Double click on the certificate and you will see the details of it)

Please proceed to rate and mark as correct this Post!

David Castro,

Regards,

dhruvas01 · ‎04-08-2015

Hi David,

Thanks for your time in answering my queries..... !!!

Regards,

Dhruva S.

AnandBalakrishnan · ‎08-23-2019

Hi Guys,

One follow up question, since this scenario matches with my case as well. If the personal store contains multiple certificate how anyconnect will pick the right certificate? I tried this scenario, but anyconnect automatically picked the right one and connected. I am curies to understand the logic behind the selection procedure. It didnt prompted me to choose certificate why trying to connect. Any idea?

Regrds

Anand

john.heurung · ‎10-10-2022

Did you get an answer to this question?

Andre Neethling · ‎04-08-2015

Hi. If you are using a certificate assigned to a user, try this.

On the windows pc while logged in with the user account Open mmc.exe. click "file" then "add remove snap in" then in the list, select certificates. In the wizard select "my user account". Then finish and OK. Then expand the " personal " certificate store. Then click on the "certificates" folder. You can then select the user certificate and review validity.

If you are using a certificate assigned to a computer. During the adding of the certificate snap in, select "computer account". And after select " this computer", then Follow the same steps as above to review the certificate.

EDIT: POSTED AT THE SAME TIME☺

dhruvas01 · ‎04-08-2015

Hi Andre,

Thanks for your reply.

1 more question : Is there any alternate option available to the Network admin to check certificate validity rather than going to remote user desktop MMC,, for example in CA server or in ASA ASDM console ???

The reason for this question is, we can renew the certificate prior to expiration before user raises the issue...

Regards,

Dhruva S.

Andre Neethling · ‎04-08-2015

Hi Dhruva. Just thinking about this solution. I can't confirm it right now I'll have access to my lab ASA soon. But what if you could set an email alert to alert admins when certificate authentication fails for your VPN. You can then look at the logs or review the client certificate.

If you are looking for advanced notification to warn you before a client certificate expires........ I don't think the ASA can do that.

Regards

Andre

David Johan Castro Fernandez · ‎04-08-2015

Dhruva,

Computer:

There is actually another way by opening the IE browser, click on "Internet Options" and then click on the Content Tab, afterwards click on Certificates:

There you will be able to see the certs as well.

ASA

Now on this case there is Certificate alert on IOS release 9.4.X:

The ASA checks all CA and ID certificates in the trust points for expiration once every 24 hours. If a certificate is nearing expiration, a syslog will be issued as an alert. You can configure the reminder and recurrence intervals. By default, reminders will start at 60 days prior to expiration and recur every 7 days.
We introduced or modified the following commands: crypto ca alerts expiration

You may find further information on this link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

Like this you can have the certificate alert once the certificate is about to expire.

Please proceed to rate and mark as correct this Post!

David Castro,

Regards,

john.heurung · ‎10-10-2022

Hi Guys,

One follow up question, since this scenario matches with my case as well. If the personal store contains multiple certificate how anyconnect will pick the right certificate? I tried this scenario, but anyconnect automatically picked the right one and connected. I am curies to understand the logic behind the selection procedure. It didnt prompted me to choose certificate why trying to connect. Any idea?

Andre Neethling · ‎04-08-2015

Hi. I just fired up my Lab ASA. It seems that you can only set email alerts per SYSLOG level, and not individual messages or events. So it won't work for VPN auth failure.

Regards

Andre

SANTHOSHKUMAR SARAVANAN · ‎04-07-2015

Hi ,

As David said on "show crypto ca certificates" you should see validity date and associated trust point .

  Validity Date: 
    start date: 22:39:31 UTC Aug 29 2008
    end   date: 22:49:31 UTC Aug 29 2009

HTH

Sandy

dhruvas01 · ‎04-08-2015

Hi Santhosh,

Thanks for your inputs.

I am looking for the steps to check the VPN certificate validity of an individual user. Any thoughts ....

Regards,

Dhruva S.

How to check the VPN Client Certificate status/validity