10-06-2017 06:17 AM - edited 03-12-2019 04:36 AM
Installed anyconnect 3.x images on my ASA 5506-X and configured everything as required however my Godaddy cert does not seem to be correctly applying to the VPN or the landing page. I cannot figure it out. Everything seems to be correct but the active cert is still the self signed. The self signed being displayed on the landing page and in use for anyconnect is the default cert installed on the asa for some reason.
BRCS-FW1(config)# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 327bbeb62f98eb05
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=vpn.certdoesntwork.com
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-729.crl
Validity Date:
start date: 15:59:01 EDT Oct 4 2017
end date: 15:59:01 EDT Oct 4 2020
Associated Trustpoints: ASDM_TrustPoint0
BRCS-FW1(config)# show run crypto ca trustpoint
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn vpn.certdoesntwork.com
subject-name CN=vpn.certdoesntwork.com,OU=IT,O=Cert Doesnt Work,C=US,St=XX,L=Saturn
keypair brcsvpn.key
crl configure
BRCS-FW1# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point ASDM_TrustPoint0 outside
ssl certificate-authentication fca-timeout 2
Solved! Go to Solution.
10-06-2017 06:49 AM
Hello @aiphix,
There 4 reasons why the ASA will send a self-signed certificate:
1. You are actually using one (not your case).
2. You don´t have a certificate applied on the outside. (not your case)
3. A bug.
4. The certificate applied on the outside is not properly configured (maybe your case).
Can you share the configuration a picture of the 3 certificates that should be on the ASA (identity, intermidiate and root certificates)?. If you are missing one of them, that´s the reason why it is failing.
HTH
Gio
10-06-2017 08:09 AM
Hello @aiphix,
Yes, you are missing the Go Daddy Root Certificate. You need to have the 3 of them installed on the ASA, if you are missing just one it is not going to work.
Also it doesn´t matter if the trustpoint is not associated since this Root is associated with the Intermidiate and not the Identity, install the Root certificate and test the connection again. It should work
HTH
Gio
10-06-2017 06:49 AM
Hello @aiphix,
There 4 reasons why the ASA will send a self-signed certificate:
1. You are actually using one (not your case).
2. You don´t have a certificate applied on the outside. (not your case)
3. A bug.
4. The certificate applied on the outside is not properly configured (maybe your case).
Can you share the configuration a picture of the 3 certificates that should be on the ASA (identity, intermidiate and root certificates)?. If you are missing one of them, that´s the reason why it is failing.
HTH
Gio
10-06-2017 08:03 AM - edited 10-06-2017 08:05 AM
10-06-2017 08:09 AM
Hello @aiphix,
Yes, you are missing the Go Daddy Root Certificate. You need to have the 3 of them installed on the ASA, if you are missing just one it is not going to work.
Also it doesn´t matter if the trustpoint is not associated since this Root is associated with the Intermidiate and not the Identity, install the Root certificate and test the connection again. It should work
HTH
Gio
10-08-2017 03:06 PM - edited 10-08-2017 06:23 PM
EDIT: Downloaded and installed the wrong Godaddy root cert. Installed the correct one and everything is working.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide