02-17-2016 09:35 PM
Hi!
I have followed this configuration guide https://supportforums.cisco.com/document/44116/asa-self-signed-certificate-webvpn
Only changed fqdn and CN. When connecting to the VPN I constantly get the SSL certificate warning. I know this is because the certificate issuer is not known. The thing is that even installing the certificate in the Trusted Root CAs (user and machine) everytime I try to connect it will show the annoying message.
I finally added
id-usage ssl-ipsec
revocation check crl none
and still nothing, the message still appears. ASA is v9.1
What could this be?
Thank you
02-17-2016 10:12 PM
If you have the certificate installed in the Trusted Root CA and somewhere else, then it seems to become untrusted again.
Try deleting every copy in the certificate store, and then only importing it into the machine trusted root CA store.
02-18-2016 06:55 AM
I tried that with no luck.
The error basically means that the site I'm trying to connect to is not the same name as the certificate. This is true as I'm trying to connect to 98.xx.xx.xx:XXX public address and the self signed certificate is issued to a vpn.[company].org
How am I able to make this certificate so it presents the IP address in some field?
I tried doing the hosts file trick and it works, I manually added the host and its IP and have no problem but this seems rather intrusive. Also, what would happen if another program edits the hosts file (as anyconnect does) and everything breaks.
Regards
02-18-2016 10:16 AM
You can't connect to an IP address and not get a certificate error. The certificate validates that the FQDN matches what has been typed in.
Can you not just get a DNS entry added?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide