Re: SSL CERT Issue CiscoASA 5510

dtsteinb · ‎07-01-2019

I did the CSR request via command line and sent it to Godaddy. I got the SSL cert back and I imported it via the command line. I opened the crt in notepad and copied it in the command line. If I do sh crypto ca certificate cert_vpn I see 2. The new one which expires 7/4/2019 and the new one which expires 7/4/2020. In the ASDM - Configuration - Certificate Management - Identify certificates I see both. I thought last time I highlighted the new one and did install. Install is not enabled at all. How do I complete the SSL Cert request? When I try to assign the new cert to the outside interface it tells me something about trustpoint ( I think because ADSM_Trustpoint7 does not exist) The new cert also has 2 trustpoints. I have no idea how both got in. It tells me:

Associated TrustPoints

ADSM_Trustpoint7, ADSM_Trustpoint3 I have no idea where it got ADSM_Trustpoint7 from. Is there a way to remove that and leave it just ADSM_Trustpoint3 ?

Marvin Rhoads · ‎07-02-2019

@dtsteinb wrote:

I did the CSR request via command line and sent it to Godaddy. I got the SSL cert back and I imported it via the command line.

Which command line did you use? Only if you use the ASA cli will you have the CSR signed with your ASA's private key and then have a pending certificate signing request. Otherwise you need to supply the ASA with both the private key used to sign the CSR as well as the CA-signed certificate.

dtsteinb · ‎07-02-2019

I did - crypto ca enroll adsm_Trustpoint3

Rahul Govindan · ‎07-02-2019

I think you are confused between the Identity and CA certificates. For CA certificates, you can have the same CA certificates associated with multiple trustpoints. So if you had cert1 issued by GoDaddy CA installed on Trustpoint3, and then installed a new cert on Trustpoint7, then the Godaddy CA is associated with both TP3 and 7.

Paste your "show crypto ca certificate" output from the ASA after removing any names/private data if you can.

dtsteinb · ‎07-02-2019

This is an Identity Cert

Here you go:

Certificate
Status: Available
Certificate Serial Number: XXXXXXa78db
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.XXXX.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-1092.crl
Validity Date:
start date: 06:12:09 EDT May 5 2019
end date: 22:25:38 EDT Jul 4 2020
Associated Trustpoints: ASDM_TrustPoint7 ASDM_TrustPoint3

Certificate
Status: Available
Certificate Serial Number: XXXXXXXXXXXXXXX9308
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.XXXX.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-842.crl
Validity Date:
start date: 09:40:14 EDT Jun 28 2018
end date: 22:25:38 EDT Jul 4 2019
Associated Trustpoints: ASDM_TrustPoint3

Again, I have I no idea where ASDM_TrustPoint7 came from.

However when I go to the site and look at the cert info it does show the correct Serial # and Date. In the ADSM it shows both and I cant get rid of either because it tells me it is tied to the outside interface.