cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
935
Views
0
Helpful
5
Replies

Wrong domain for self signed ID Cert.

TRENT WAITE
Level 1
Level 1

I am tryin to generate a self signed certificate for Indentity Certificates, and keep coming up with the wrong domain name. The "Issued To" and "Issued by" both refer to the incorrect domain.

In the config, the correct domain name can be found in:

domain-name 
dns server-group DefaultDNS
group-policy DefaultRAGroup attributes
group-policy DefaultRAGroup_1 attributes


However, the incorrect domain name can not be found anywhere in the config. I have removed any and all
certificates already issued. I see no configuration what so ever refering to any certificates, CA, Local-CA,
trustpoints, etc..

But when I go back again to create a new self signed Identity cert, I still get the OLD domain. If I go to advanced
options I can fill out the FQDN and IP. The FQDN will be ASA5510.CorrectDomain.com. But of course what will be issued
is ASA5510.NOTTHECORRECTONE.com

The domain name that is showing up is one that was first used when the device arrived and I created an initial
configuration just to get the device on a network to access. Since that time the original config has long since
been erased with a brand new config added line by line. Yet still this ghost from the original keeps showing up.
Where is it finding this?
























5 Replies 5

Loren Kolnes
Cisco Employee
Cisco Employee

Hi Trent,

Can you tell me what version the ASA is running.

Can you also capture the following information:

show run all | inc [olddomainname]

sh run all cry ca trustpoint

Thanks

Loren

ASA Version 8.2(3)

If I run "show run all | inc icontrol.com" I get no output. If I run "show run all" and then copy over to Wordpad and run a search I get nothing in reference to old domain, but do get references for the new domain.

In the attached txt file is the results of the "show run all". The old domain name is "icontrol.com". I replaced in the text file the new domain name with "icshxxx.com", however that is the only thing that was replaced. There is no reference what so ever to icontrol.com.

Yet after running this command, seeing no reference what so ever, I decided to say what the heck and tried it again. Sure enough the self created Identity Cert created had the domain name "icontrol.com", and not "icshxxx.com". However, if you look at the ADSM it clearly shows that the Issue to and Issue by as "ASA5510.icontrol.com". But running the "sh run all cry ca trustpoint" shows nothing for Trustpoint0 in regards to the domain.

ASA5510# show run all | inc icontrol.com
ASA5510# sh run all cry ca trustpoint
crypto ca trustpoint ASDM_TrustPoint0
revocation-check none
enrollment retry period 1
enrollment retry count 0
enrollment self
no fqdn
no email

subject-name CN=ASA5510
no serial-number
no ip-address
no password
keypair CA
client-types ipsec ssl
accept-subordinates
id-cert-issuer
id-usage ssl-ipsec
no ignore-ipsec-keyusage
no ignore-ssl-keyusage
proxy-ldc-issuer
crl configure
  policy cdp
  cache-time 60
  enforcenextupdate
  protocol http
  protocol ldap
  protocol scep
ASA5510#

I did clear the ASDM cache, and restarted ASDM. It still shows "ASA5510.icontrol.com" and not "ASA5510.icshrff.com". Also, if I go to the Advanced tab and enter in the FQDN, e-mail address, and IP address, it will not be applied.

Hi Trent,

Can you try removing then reapplying the keypair "CA" in the trustpoint configuration then try enrolling it again?

Thanks,

Loren

Thanks for your help Loren. I have the problem solved now, the solution was to reload the OS. I shut down the ASA last night, and had the CA's removed. Loaded up the ASA today, looked at the config and there was nothing relating to certs between isakmp crypto to SSH. I then used the ASDM to add a new Identity cert and it shows up with the correct domain.

I have a 5505 that had the same problem, and I did the same steps I used with this 5510. The 5505's issue was resolved when removing the CA's, certs,  and Trustpoints, but I never had to reload or restart that unit. So it did not occur to me that doing this would solve the 5510's issue. Well one less issue to worrry about

Hi Trent,

Glad to hear you got this working.

Just FYI in my recreate removing and reapplying the keypair resolved this.

Thanks,

Loren

Review Cisco Networking for a $25 gift card