Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
0
Replies

Duplicate Certificate - Pending Terminal Enrollment

Meri_Christmas
Level 1
Level 1

‎02-12-2020 08:46 AM

Hello Experts and All Community Members

 

Our users are getting an 'Untrusted server certificate" error when they attempt to use the vpn.

 

I'm trying to enroll a new ca certificate to replace an expired cert. This company uses CLI only not ASDM and I was referred to the following doc to install the new cert

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc5

 

I followed it step by step obviously replacing the info with our personalized trust point name, fqdn, etc on the ASA 5508

We then generated a .PEM file which I opened in Notepad++ and did a copy/paste in the cli on the asa according to the steps listed in the link above.

 

I received the below message:

 

INFO: Certificate has the following attributes:
Fingerprint: 0xxxxxx dxxxxxx xxxxxxxx xxxxxxxx
Do you accept this certificate? [yes/no]: y

Trustpoint 'UK_ANYCONNECT' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

 

I then performed a check to make sure all was ok and I saw this

 

CA Certificate
Status: Available
Certificate Serial Number: 1234587891234
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.company.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-1712.crl
Validity Date:
start date: 21:04:16 UTC Feb 10 2020
end date: 21:04:16 UTC Feb 10 2022
Associated Trustpoints: ANYCONNECT

 

Certificate
Status: Available
Certificate Serial Number: 111122223333444 
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.company.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-406.crl
Validity Date:
start date: 14:48:00 UTC Feb 8 2017
end date: 19:31:00 UTC Feb 7 2020
Associated Trustpoints: ANYCONNECT

 

So I removed the trust point from the expired cert entry. Check it again and the trust point info was removed from the expired cert.

 

I removed the new certificate entry and re-enrolled it and got the same problem. I then checked the status of the certificate and received this:

 

Certificate
Subject Name:
Name: vpn.company.com
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: fxxxxxxx 3xxxxxxx 3xxxxxxx cxxxxxxx
Associated Trustpoint: ANYCONNECT

 

Still getting Untrust server cert error.

 

Not sure what to do at this point and I cannot use the ASDM interface only CLI.

 

Can someone please help or give me direction?

 

Thanks in Advance!

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents