05-29-2012 12:09 PM
I'm using a Cisco Adaptive Security Appliance Software Version 8.4(2), Device Manager Version 6.4(5)206 as my VPN concentrator and recently added a new SSL cert
vpnbos01# sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 0236d0
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=GeoTrust Global CA
o=GeoTrust Inc.
c=US
Subject Name:
cn=GeoTrust SSL CA
o=GeoTrust\, Inc.
c=US
OCSP AIA:
CRL Distribution Points:
[1] http://crl.geotrust.com/crls/gtglobal.crl
Validity Date:
start date: 17:39:26 EST Feb 19 2010
end date: 17:39:26 EST Feb 18 2020
Associated Trustpoints: BTCI_TrustPoint_2012
Certificate
Status: Available
Certificate Serial Number: 12f52c
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
ou=Equifax Secure Certificate Authority
o=Equifax
c=US
Subject Name:
cn=*.btci.com
ou=Domain Control Validated - QuickSSL(R)
o=BT Conferencing Inc.
l=Quincy
st=Massachusetts
c=US
serialNumber=kPCu1C/bzEUv7gNfS/lWYWrrhHqgPLPV
CRL Distribution Points:
[1] http://crl.geotrust.com/crls/secureca.crl
Validity Date:
start date: 11:01:22 EDT May 19 2010
end date: 14:48:12 EDT May 21 2012
Associated Trustpoints: BTCI_TrustPoint
vpnbos01# sh run ssl
ssl trust-point BTCI_TrustPoint_2012 outside
However, when connecting to VPN via the AnyConnect (windows) client, at connection it will pop up a window that the device has a expired cert and show the details of the 2nd cert in the config above, despite only the newer cert displaying in the sh run ssl command. The new cert was updated via ASDM via the steps provided in http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml. Is there something else missing from this doc or a step missed?
05-29-2012 08:47 PM
Your SSL is pointing to "BTCI_TrustPoint_2012" trustpoint which only contains the CA Root certificate, no identity certificate.
Your other trustpoint "BTCI_TrustPoint" only contain identity certificate, however, there is no CA Root certificate associated with it. You would also need to import the CA certificate from Equifax into trustpoint BTCI_TrustPoint, and point the ssl trust-point on the outside interface to "BTCI_TrustPoint" instead.
05-30-2012 10:11 AM
My apologies, Jen, but i did omit some output in the sh crypto ca certificates. Here is the complete output that may/may not contain the info you say is missing:
vpnbos01# sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 0236d0
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=GeoTrust Global CA
o=GeoTrust Inc.
c=US
Subject Name:
cn=GeoTrust SSL CA
o=GeoTrust\, Inc.
c=US
OCSP AIA:
URL: http://ocsp.geotrust.com
CRL Distribution Points:
[1] http://crl.geotrust.com/crls/gtglobal.crl
Validity Date:
start date: 17:39:26 EST Feb 19 2010
end date: 17:39:26 EST Feb 18 2020
Associated Trustpoints: BTCI_TrustPoint_2012
Certificate
Status: Available
Certificate Serial Number: 015e60
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=GeoTrust SSL CA
o=GeoTrust\, Inc.
c=US
Subject Name:
cn=*.btci.com
ou=Domain Control Validated - QuickSSL(R)
o=BT Conferencing Inc.
l=Quincy
st=Massachusetts
c=US
serialNumber=I9JFRa3CZd2YMGj8MQrv0KU19gn/bXyj
CRL Distribution Points:
[1] http://gtssl-crl.geotrust.com/crls/gtssl.crl
Validity Date:
start date: 09:30:13 EDT Apr 23 2012
end date: 22:39:47 EDT Jun 24 2014
Associated Trustpoints: BTCI_TrustPoint_2012
CA Certificate
Status: Available
Certificate Serial Number: 35def4cf
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
ou=Equifax Secure Certificate Authority
o=Equifax
c=US
Subject Name:
ou=Equifax Secure Certificate Authority
o=Equifax
c=US
CRL Distribution Points:
[1] cn=CRL1,ou=Equifax Secure Certificate Authority,o=Equifax,c=US
Validity Date:
start date: 12:41:51 EDT Aug 22 1998
end date: 12:41:51 EDT Aug 22 2018
Associated Trustpoints: Equifax
CA Certificate
Status: Available
Certificate Serial Number: 01a5
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: MD5 with RSA Encryption
Issuer Name:
cn=GTE CyberTrust Global Root
ou=GTE CyberTrust Solutions\, Inc.
o=GTE Corporation
c=US
Subject Name:
cn=GTE CyberTrust Global Root
ou=GTE CyberTrust Solutions\, Inc.
o=GTE Corporation
c=US
Validity Date:
start date: 20:29:00 EDT Aug 12 1998
end date: 19:59:00 EDT Aug 13 2018
Associated Trustpoints: CA_Bundle
Certificate
Status: Available
Certificate Serial Number: 12f52c
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
ou=Equifax Secure Certificate Authority
o=Equifax
c=US
Subject Name:
cn=*.btci.com
ou=Domain Control Validated - QuickSSL(R)
o=BT Conferencing Inc.
l=Quincy
st=Massachusetts
c=US
serialNumber=kPCu1C/bzEUv7gNfS/lWYWrrhHqgPLPV
CRL Distribution Points:
[1] http://crl.geotrust.com/crls/secureca.crl
Validity Date:
start date: 11:01:22 EDT May 19 2010
end date: 14:48:12 EDT May 21 2012
Associated Trustpoints: BTCI_TrustPoint
05-30-2012 02:33 PM
You are right. The certificate chain looks correct to me too.
Can you test it from a different computer to see if differs? Or if you can advise me the URL, I can test to see if i get the same expired certificate.
05-30-2012 03:39 PM
The URL is uvpn1.btci.com
Thank you,
Scott Cook
Technical Services Professional
BT Conferencing
05-30-2012 06:40 PM
hmmm, i cant even connect. do you happen to use different port for ssl vpn?
05-31-2012 12:45 PM
I was able to confirm one of my colleagues also gets the same error. We’re not sure what “order” of certs the ASA uses if you have more than one, but if we look in ASDM / Configuration / Device Management / Certificate Management / Identify Certificates, both are listed with the older expired one listed first. We tried to delete the one cert to see if that was the issue…but ASDM won’t let us cause it’s in use. I assume that means users are connected with it? Any other way to force it out to see if that’s the issue?
Thank you,
Scott Cook
Technical Services Professional
BT Conferencing
05-31-2012 06:07 PM
It should really use the one that you assign on the outside interface via the ssl trustpoint command which is "
BTCI_TrustPoint_2012" as per your configuration.
My suspicion is that because they use very similar name, ie: your new one just has "_2012" and maybe there is a software bug that thought they are the same --> just my suspicion.
Can you try to create a new trustpoint with completely different name and re-upload the cert again in this new trustpoint and assign it to the outside interface.
09-09-2015 09:20 AM
Hope you got your issue figured out. For me it was due to a config line forcing the old certificate. Even though the Web URL had the correct certificate when I connected with the Anyconnect client it would show it expired.
I found the following key in my config was still pushing the old cert and would not even let me delete it out.
Culprit line causing me the Cert errors on the AnyConnect Client.
crypto ikev2 remote-access trustpoint Godaddy
Replaced with new Cert name
crypto ikev2 remote-access trustpoint AnyConnect-GoDaddy
I was then able to delete the Certificate out and the AnyConnect errors disappeared.
Again hopes this help or maybe someone else with this issue.
Raul
06-10-2020 01:47 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide