Solved: Anyconnect VPN - Expired certificate causing Java error

mknaebelcu · ‎04-20-2015

Hello,

Since April 4th 2015 Java has been blocking the process of installing AnyConnect via web-deployment (see attached screenshot). It indicates there is an expired certificate with these details:

Issuer CN=VeriSign Class 3 Code Signing 2010 CA,
OU=Terms of use at https://www.verisign.com/rpa (c)10,
  OU=VeriSign Trust Network,
  O="VeriSign, Inc.",
C=US
Validity [From: Wed Jan 02 19:00:00 EST 2013,
  To: Sat Apr 04 19:59:59 EDT 2015] <-----------------------------
Subject CN="Cisco Systems, Inc.",   <-----------------------------
  OU=Digital ID Class 3 - Microsoft Software Validation v2,
  O="Cisco Systems, Inc.",
  L=Boxborough,
  ST=Massachusetts,
C=US

This certificate is not seen when entering 'show crypto ca cert' on the ASA -- it is NOT our certificate, as it is issued to "Cisco Systems, Inc", and it has clearly expired.

We are running the ASA software 9.1.6 and this behavior happens (at least) with the three latest versions of Java.

Is anyone else having this issue? Is there anything that can be done (server-side) to resolve this?

Thanks in advance...

Steve Leiser · ‎05-21-2015

Hi mknaebelcu

The problem has to do with the AnyConnect clients being deployed and not with any certificate on the ASA.

See bug CSCut80840

https://tools.cisco.com/bugsearch/bug/CSCut80840/?reffering_site=dumpcr

An upgrade to 3.1.8009 or 4.0.2052 should help

View solution in original post

Steve Leiser · ‎05-21-2015

Hi mknaebelcu

The problem has to do with the AnyConnect clients being deployed and not with any certificate on the ASA.

See bug CSCut80840

https://tools.cisco.com/bugsearch/bug/CSCut80840/?reffering_site=dumpcr

An upgrade to 3.1.8009 or 4.0.2052 should help

mknaebelcu · ‎05-23-2015

Thank you very much. This was the problem.