cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
131
Views
0
Helpful
6
Replies
Beginner

Duplicate Cert Entries - Pending Terminal Enrollment

Hello Experts and All Community Members

 

Our users are getting an 'Untrusted server certificate" error when they attempt to use the vpn.

 

I'm trying to enroll a new ca certificate to replace an expired cert. This company uses CLI only not ASDM and I was referred to the following doc to install the new cert

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc5

 

I followed it step by step obviously replacing the info with our personalized trust point name, fqdn, etc on the ASA 5508

We then generated a .PEM file which I opened in Notepad++ and did a copy/paste in the cli on the asa according to the steps listed in the link above.

 

I received the below message:

 

INFO: Certificate has the following attributes:
Fingerprint: 0xxxxxx dxxxxxx xxxxxxxx xxxxxxxx
Do you accept this certificate? [yes/no]: y

Trustpoint 'UK_ANYCONNECT' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

 

I then performed a check to make sure all was ok and I saw this

 

CA Certificate
Status: Available
Certificate Serial Number: 1234587891234
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.company.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-1712.crl
Validity Date:
start date: 21:04:16 UTC Feb 10 2020
end date: 21:04:16 UTC Feb 10 2022
Associated Trustpoints: ANYCONNECT

 

Certificate
Status: Available
Certificate Serial Number: 111122223333444 
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.company.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-406.crl
Validity Date:
start date: 14:48:00 UTC Feb 8 2017
end date: 19:31:00 UTC Feb 7 2020
Associated Trustpoints: ANYCONNECT

 

So I removed the trust point from the expired cert entry. Check it again and the trust point info was removed from the expired cert.

 

I removed the new certificate entry and re-enrolled it and got the same problem. I then checked the status of the certificate and received this:

 

Certificate
Subject Name:
Name: vpn.company.com
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: fxxxxxxx 3xxxxxxx 3xxxxxxx cxxxxxxx
Associated Trustpoint: ANYCONNECT

 

Still getting Untrust server cert error.

 

Not sure what to do at this point and I cannot use the ASDM interface only CLI.

 

Can someone please help or give me direction?

 

Thanks in Advance!

 

6 REPLIES 6
Highlighted
RJI Advisor
Advisor

Re: Duplicate Cert Entries - Pending Terminal Enrollment

Hi,
So you run the command "crypto ca enroll ANYCONNECT" which displayed the output on the terminal window...but did you then import the signed identity certificate "crypto ca import ANYCONNECT certificate"?
Highlighted
Beginner

Re: Duplicate Cert Entries - Pending Terminal Enrollment

Yes well this is what I did

 

(entered)

5508ASA (config)# crypto ca authenticate ANYCONNECT

enter the base 64 encoded CA certificate

End with the word "quit" on the line by itself

 

Then I pasted the cert from Notepad++

------BEGIN CERTIFICATE-----

cert encrypted info

---END CERTIFICATE---

quit

I received the response

 

INFO: Certificate has the following attributes:
Fingerprint: 0xxxxxxx dxxxxxxx ssssssss xxxxxxxx
Do you accept this certificate? [yes/no]: y

Trustpoint 'ANYCONNECT' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

 

 

Highlighted
RJI Advisor
Advisor

Re: Duplicate Cert Entries - Pending Terminal Enrollment

Ok, the command "crypto ca authenticate <TRUSTPOINT NAME>" only imports the root certificate, not the identity certificate. Have you actually created a CSR and sent this off to the Public CA to sign?
Highlighted
Beginner

Re: Duplicate Cert Entries - Pending Terminal Enrollment

I didn't do it but it was done by another tech member who is responsible for creating the csr and getting it to the public ca. After that was done the tech sent me the signed cert as a .PEM file which I opened and copied/pasted into the cli of the asa when requested.

 

I hope I answered this correctly. I'm new to certificates so apologies if this is not what you were looking for.

Highlighted
RJI Advisor
Advisor

Re: Duplicate Cert Entries - Pending Terminal Enrollment

Ok, run the command "crypto ca import ANYCONNECT certificate" and paste the contents of the PEM file. If you do that and it still doesnt work, provide the full output of "show crypto ca certificates"
Highlighted
Beginner

Re: Duplicate Cert Entries - Pending Terminal Enrollment

Thank you that's what I didn't do and I used the same trust point for both the ca cert and the identity cert. I am new at this. Also I had to link the cert to the outside interface.

Working now!

 

Thanks so much!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here