Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1713
Views
0
Helpful
6
Replies

Duplicate Cert Entries - Pending Terminal Enrollment

Meri_Christmas
Level 1
Level 1

‎02-12-2020 09:18 AM

Hello Experts and All Community Members

 

Our users are getting an 'Untrusted server certificate" error when they attempt to use the vpn.

 

I'm trying to enroll a new ca certificate to replace an expired cert. This company uses CLI only not ASDM and I was referred to the following doc to install the new cert

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc5

 

I followed it step by step obviously replacing the info with our personalized trust point name, fqdn, etc on the ASA 5508

We then generated a .PEM file which I opened in Notepad++ and did a copy/paste in the cli on the asa according to the steps listed in the link above.

 

I received the below message:

 

INFO: Certificate has the following attributes:
Fingerprint: 0xxxxxx dxxxxxx xxxxxxxx xxxxxxxx
Do you accept this certificate? [yes/no]: y

Trustpoint 'UK_ANYCONNECT' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

 

I then performed a check to make sure all was ok and I saw this

 

CA Certificate
Status: Available
Certificate Serial Number: 1234587891234
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.company.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-1712.crl
Validity Date:
start date: 21:04:16 UTC Feb 10 2020
end date: 21:04:16 UTC Feb 10 2022
Associated Trustpoints: ANYCONNECT

 

Certificate
Status: Available
Certificate Serial Number: 111122223333444 
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.company.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-406.crl
Validity Date:
start date: 14:48:00 UTC Feb 8 2017
end date: 19:31:00 UTC Feb 7 2020
Associated Trustpoints: ANYCONNECT

 

So I removed the trust point from the expired cert entry. Check it again and the trust point info was removed from the expired cert.

 

I removed the new certificate entry and re-enrolled it and got the same problem. I then checked the status of the certificate and received this:

 

Certificate
Subject Name:
Name: vpn.company.com
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: fxxxxxxx 3xxxxxxx 3xxxxxxx cxxxxxxx
Associated Trustpoint: ANYCONNECT

 

Still getting Untrust server cert error.

 

Not sure what to do at this point and I cannot use the ASDM interface only CLI.

 

Can someone please help or give me direction?

 

Thanks in Advance!

 

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎02-12-2020 09:34 AM

Hi,
So you run the command "crypto ca enroll ANYCONNECT" which displayed the output on the terminal window...but did you then import the signed identity certificate "crypto ca import ANYCONNECT certificate"?
0 Helpful

Meri_Christmas
Level 1
Level 1
In response to Rob Ingram

‎02-12-2020 09:57 AM - edited ‎02-12-2020 09:59 AM

Yes well this is what I did

 

(entered)

5508ASA (config)# crypto ca authenticate ANYCONNECT

enter the base 64 encoded CA certificate

End with the word "quit" on the line by itself

 

Then I pasted the cert from Notepad++

------BEGIN CERTIFICATE-----

cert encrypted info

---END CERTIFICATE---

quit

I received the response

 

INFO: Certificate has the following attributes:
Fingerprint: 0xxxxxxx dxxxxxxx ssssssss xxxxxxxx
Do you accept this certificate? [yes/no]: y

Trustpoint 'ANYCONNECT' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Meri_Christmas

‎02-12-2020 10:02 AM

Ok, the command "crypto ca authenticate <TRUSTPOINT NAME>" only imports the root certificate, not the identity certificate. Have you actually created a CSR and sent this off to the Public CA to sign?
0 Helpful

Meri_Christmas
Level 1
Level 1
In response to Rob Ingram

‎02-12-2020 10:19 AM

I didn't do it but it was done by another tech member who is responsible for creating the csr and getting it to the public ca. After that was done the tech sent me the signed cert as a .PEM file which I opened and copied/pasted into the cli of the asa when requested.

 

I hope I answered this correctly. I'm new to certificates so apologies if this is not what you were looking for.

0 Helpful

Rob Ingram
VIP
VIP
In response to Meri_Christmas

‎02-12-2020 10:33 AM

Ok, run the command "crypto ca import ANYCONNECT certificate" and paste the contents of the PEM file. If you do that and it still doesnt work, provide the full output of "show crypto ca certificates"
0 Helpful

Meri_Christmas
Level 1
Level 1
In response to Rob Ingram

‎02-14-2020 11:18 AM

Thank you that's what I didn't do and I used the same trust point for both the ca cert and the identity cert. I am new at this. Also I had to link the cert to the outside interface.

Working now!

 

Thanks so much!

0 Helpful
Customers Also Viewed These Support Documents