Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
3
Replies

Importing certificate for LDAPS

lmqtechnology
Level 1
Level 1

‎10-18-2022 04:55 PM

We need to import the server certificate to the ASA in order to use LDAPS for VPN authentication.  The server certificate has a creation date of 06-06-2021 but an expiration of 06-06-2121.  When I attempt to import the certificate into the ASA the creation date looks correct, but the expiration date shows 04-30-1985??

Cisco Adaptive Security Appliance Software Version 9.16(3)19

% CA Cert not yet valid or is expired -
start date: 14:05:13 UTC Jun 6 2021
end date: 07:46:57 UTC Apr 30 1985
% Error in saving certificate: status = FAIL

1 person had this problem
0 Helpful
3 Replies 3

joeyx31x13
Level 1
Level 1

‎03-25-2023 12:11 PM

Hi

did you have this resolved as I have the issue as well? Thanks

0 Helpful

lmqtechnology
Level 1
Level 1
In response to joeyx31x13

‎03-25-2023 12:51 PM

Yup, it's an ASA bug whereby it cannot accept certificates that have an expiration date that is too far in the future (the error message is completely misleading).  In our case the person who generated the LDAPS certificate gave it an expiration date of 100 years in the future.  We simply got them to regenerate the certificate with a shorter expiration date such as 2 years.

0 Helpful

joeyx31x13
Level 1
Level 1
In response to lmqtechnology

‎03-25-2023 02:19 PM

Hi,

thanks for the fast respond, appreciated.  Thought this would be simple where we get the certification from our Domain Controller (ldap server) and import into ASA as a trustpoint, then it threw that error trying install.  we have a internal CA server, so can you share how you got your colleague to generated the LDAPS certificate with a shorter expiration date such as 2 years?  Does that mean it will that it would need renewal every 2 years?  Btw, I'm running asa 9.16.4 on the asa I am testing, but would need to update my live environment ASA from 9.12.4 to 9.16.4 as we have Duo 2FA which they announced recent change to secure LDAPS and their certificate work.  Thank you in advance.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card