cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4232
Views
0
Helpful
5
Replies

Anyconnect 3.1 untrusted server cert w/ Wildcard

SCOTT VOLL
Level 1
Level 1

I've seen a bunch of discussions on the untrusted server cert error with self signed certs.  But I have a valid wildcard that I use on my ASA.  How do I make that work with out the untrusted server cert error?

TIA

Scott                  

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

For wild card certificate, when you configure the trustpoint, also configure "fqdn none", and that would fix the wildcard untrusted certificate issue.

I am now seeing this problem show up on the latest Android/iOS clients as well.  We have "fqdn none" configured for our trustpoint, and are using a valid * wildcard certifcate from Digicert on the ASA.  The certificate tests 100% valid on ssllabs.com.  I am opening a TAC case and will update this thread.

Update:

Android and iOS devices do not have the same trust root CA installed as a MS Windows client.  I had to load both the root and intermediate CA certs for Digicert into the ASA.  The Android/iOS devices picked up all three certs successfully and no longer generate untrusted sever errors.

Mark,

Thanks for the update but can you go into detail on how you added the three certs to one trustpoint?

Cheers

The CA certificates were not added directly to the existing trustpoint.  You could add them directly via the ASDM as "CA Certificates" rather than "Identity Certificates", or with code similar to: 

crypto ca trustpoint Inter_CA

enrollment terminal

crl configure

crypto ca trustpoint Root_CA

enrollment terminal

crl configure

crypto ca certificate chain Inter_CA

certificate ca ....

crypto ca certificate chain Root_CA

certificate ca ....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: