Anyconnect 3.1 untrusted server cert w/ Wildcard

SCOTT VOLL · ‎01-22-2013

I've seen a bunch of discussions on the untrusted server cert error with self signed certs. But I have a valid wildcard that I use on my ASA. How do I make that work with out the untrusted server cert error?

TIA

Scott

Jennifer Halim · ‎01-22-2013

For wild card certificate, when you configure the trustpoint, also configure "fqdn none", and that would fix the wildcard untrusted certificate issue.

Mark Lancaster · ‎04-25-2013

I am now seeing this problem show up on the latest Android/iOS clients as well. We have "fqdn none" configured for our trustpoint, and are using a valid * wildcard certifcate from Digicert on the ASA. The certificate tests 100% valid on ssllabs.com. I am opening a TAC case and will update this thread.

Mark Lancaster · ‎04-29-2013

Update:

Android and iOS devices do not have the same trust root CA installed as a MS Windows client. I had to load both the root and intermediate CA certs for Digicert into the ASA. The Android/iOS devices picked up all three certs successfully and no longer generate untrusted sever errors.

bjames · ‎05-13-2013

Mark,

Thanks for the update but can you go into detail on how you added the three certs to one trustpoint?

Cheers

Mark Lancaster · ‎05-14-2013

The CA certificates were not added directly to the existing trustpoint. You could add them directly via the ASDM as "CA Certificates" rather than "Identity Certificates", or with code similar to:

crypto ca trustpoint Inter_CA

enrollment terminal

crl configure

crypto ca trustpoint Root_CA

enrollment terminal

crl configure

crypto ca certificate chain Inter_CA

certificate ca ....

crypto ca certificate chain Root_CA

certificate ca ....