cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3907
Views
20
Helpful
7
Replies

GoDaddy Cert installed for AnyConnect but some clients get self-signed from ASA instead?

Jacob Gibb
Level 1
Level 1

ASA 5506 running 9.4(1)1 with a GoDaddy SHA-256 certificate installed with a key size of 2048. I install the root and secure from GoDaddy along with the identity cert in respective trustpoints and all seems well. I connect to the https:// interface from a remote client using IE 9 and I get the cert as expected. I connect from the same client using Chrome 44 and I get the self-signed cert instead?! TLS 1-1.2 is supported. Config below.

crypto ca trustpoint sslvpn.g3networks.net
 enrollment terminal
 fqdn vpn.g3networks.net
 subject-name CN=sslvpn.g3networks.net,OU=IT,C=US,St=TN
 keypair RSA2048
 crl configure
crypto ca trustpoint GoDaddyRoot
 enrollment terminal
 crl configure
crypto ca trustpoint GoDaddyG2
 enrollment terminal
 crl configure

ssl trust-point sslvpn.g3networks.net outside

g3asa5506(config)# sh cry ca certificates 
Certificate
  Status: Available
  Certificate Serial Number: 00c60f5cc9c30be998
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name: 
    cn=Go Daddy Secure Certificate Authority - G2
    ou=http://certs.godaddy.com/repository/
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
  Subject Name:
    cn=sslvpn.g3networks.net
    ou=Domain Control Validated
  OCSP AIA: 
    URL: http://ocsp.godaddy.com/
  CRL Distribution Points: 
    [1]  http://crl.godaddy.com/gdig2s1-87.crl
  Validity Date: 
    start date: 17:46:38 CDT Jun 21 2015
    end   date: 17:58:35 CDT Jul 3 2017
  Associated Trustpoints: sslvpn.g3networks.net 

CA Certificate
  Status: Available
  Certificate Serial Number: 1be715
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name: 
    ou=Go Daddy Class 2 Certification Authority
    o=The Go Daddy Group\, Inc.
    c=US
  Subject Name: 
    cn=Go Daddy Root Certificate Authority - G2
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
  OCSP AIA: 
    URL: http://ocsp.godaddy.com/
  CRL Distribution Points: 
    [1]  http://crl.godaddy.com/gdroot.crl
  Validity Date: 
    start date: 01:00:00 CST Jan 1 2014
    end   date: 02:00:00 CDT May 30 2031
  Associated Trustpoints: GoDaddyG2 
              
CA Certificate
  Status: Available
  Certificate Serial Number: 07
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name: 
    cn=Go Daddy Root Certificate Authority - G2
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
  Subject Name: 
    cn=Go Daddy Secure Certificate Authority - G2
    ou=http://certs.godaddy.com/repository/
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
  OCSP AIA: 
    URL: http://ocsp.godaddy.com/
  CRL Distribution Points: 
    [1]  http://crl.godaddy.com/gdroot-g2.crl
  Validity Date: 
    start date: 02:00:00 CDT May 3 2011
    end   date: 02:00:00 CDT May 3 2031
  Associated Trustpoints: GoDaddyRoot 

 

g3asa5506(config)#  sh ssl 
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group2 (1024-bit modulus)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
  Self-signed (RSA 2048 bits RSA-SHA256) certificate available
  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
  Interface outside: sslvpn.g3networks.net (RSA 2048 bits RSA-SHA256)

Certificate authentication is not enabled
g3asa5506(config)# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point sslvpn.g3networks.net outside
ssl certificate-authentication fca-timeout 2
g3asa5506(config)# 

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Hi Jake,

I see the same self-signed certificate for that ASA using IE, Chrome, Firefox and AnyConnect itself.

Did you perhaps create the self-signed certificate first using the FQDN etc.?

Have a look at "show crypto ca trustpoints" - it may be informative.

 

There's the rub. From the output below I see 'Not authenticated' but I'm not sure why.

g3asa5506# sh cry ca trustpoints 

Trustpoint sslvpn.g3networks.net:
    Not authenticated.


Trustpoint GoDaddyRoot:
    Subject Name: 
    cn=Go Daddy Secure Certificate Authority - G2
    ou=http://certs.godaddy.com/repository/
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
          Serial Number: 07
    Certificate configured.


Trustpoint GoDaddyG2:
    Subject Name: 
    cn=Go Daddy Root Certificate Authority - G2
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
          Serial Number: 1be715
    Certificate configured.

g3asa5506#  

So I ended up creating a TAC case and they stated the following when using certs in 9.4 and TLS

For version 9.4.(x) we have the following information:

  • Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:

That said I issued the command below and was able to resolve the issue.

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

Oh - you were hitting that one. A couple of folks have come across that.

It's mentioned in the release notes but is a pretty goofy default behavior from Cisco. Never before has an a new ASA release messed up certificates like 9.4(1) has.

Thanks for updating the thread with your resolution. +5. :)

I experienced this last night after updating my anyconnect license on the ASA.  So glad you already found the solution.  Saved me from myself today.  Thanks for sharing!

This solution also helped me. Thanks!

I used this solution for Digicert wildcard Certificate.

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: