Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
5
Helpful
3
Replies

CISCO ASA Certificate Install

Go to solution
blake.macisaac1
Level 1
Level 1

‎02-22-2016 01:15 PM - edited ‎03-05-2019 03:24 AM

Hello Community, 

Please forgive me if this is the incorrect spot to be posting this, i'm still woking on my navigation skills within the support portal.

Anyway, I'm looking for some help in setting up our newly bought from godaddy SSL certificate on our Cisco ASA. i've gone through the motions i believe, but would really look for assistance with what is going wrong. All of our VPN clients are still reviewing "Untrusted" errors and receiving the Temporary Assigned Certificate from the ASA instead of the new public one installed.  Can someone please provide some direction on the best way to set up the certificates?

Thanks


Blake

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
norbert.zehetner
Level 1
Level 1
In response to blake.macisaac1

‎02-26-2016 10:25 AM

Hey Blake,

maybe your running into an issue mentioned in the ASA release versio 9.4:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

(check the important notes in the beginning)

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

b.reg.

Norbert

View solution in original post

3 Replies 3

Go to solution
jj27
Spotlight
Spotlight

‎02-22-2016 05:16 PM

I assume you went through the motions to create the CSR from the ASA and associate it with a trustpoint. If you installed the signed certificate to the trustpoint, it is ready for use, but you must assign it to the outside interface.

For example, if your trustpoint name is GoDaddy_Cert and your outside interface is named "outside":

ASA# show run trustpoint
crypto ca trustpoint GoDaddy_Cert
 keypair GoDaddy_Cert
 crl configure

Now set your SSL trust point to use it:

ssl trust-point GoDaddy_Cert outside
0 Helpful

Go to solution
blake.macisaac1
Level 1
Level 1
In response to jj27

‎02-23-2016 09:37 AM

Hello jj, 

Thanks for the reply.

I'm at my wits end with this :( 

I've created the identity and CA certs and have them installed, and set the outside interface, as well for VPN clients i set the cert to use.  Users are still getting the self-signed temp cert, and the prompt that the source is not trusted.  I just dont get it. Unless i built my cert wrong

Any other ideas?

0 Helpful

Go to solution
norbert.zehetner
Level 1
Level 1
In response to blake.macisaac1

‎02-26-2016 10:25 AM

Hey Blake,

maybe your running into an issue mentioned in the ASA release versio 9.4:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

(check the important notes in the beginning)

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

b.reg.

Norbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card