Importing certificate for LDAPS

lmqtechnology · ‎10-18-2022

We need to import the server certificate to the ASA in order to use LDAPS for VPN authentication. The server certificate has a creation date of 06-06-2021 but an expiration of 06-06-2121. When I attempt to import the certificate into the ASA the creation date looks correct, but the expiration date shows 04-30-1985??

Cisco Adaptive Security Appliance Software Version 9.16(3)19

% CA Cert not yet valid or is expired -
start date: 14:05:13 UTC Jun 6 2021
end date: 07:46:57 UTC Apr 30 1985
% Error in saving certificate: status = FAIL

joeyx31x13 · ‎03-25-2023

Hi

did you have this resolved as I have the issue as well? Thanks

lmqtechnology · ‎03-25-2023

Yup, it's an ASA bug whereby it cannot accept certificates that have an expiration date that is too far in the future (the error message is completely misleading). In our case the person who generated the LDAPS certificate gave it an expiration date of 100 years in the future. We simply got them to regenerate the certificate with a shorter expiration date such as 2 years.

joeyx31x13 · ‎03-25-2023

Hi,

thanks for the fast respond, appreciated. Thought this would be simple where we get the certification from our Domain Controller (ldap server) and import into ASA as a trustpoint, then it threw that error trying install. we have a internal CA server, so can you share how you got your colleague to generated the LDAPS certificate with a shorter expiration date such as 2 years? Does that mean it will that it would need renewal every 2 years? Btw, I'm running asa 9.16.4 on the asa I am testing, but would need to update my live environment ASA from 9.12.4 to 9.16.4 as we have Duo 2FA which they announced recent change to secure LDAPS and their certificate work. Thank you in advance.