cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
0
Helpful
9
Replies
Highlighted
Beginner

ASA Certificate Issue

Hello

I'm using server 2012 R2 with certificate authority and NDES to manage certificates for a SSL VPN. Im having some issues getting it all working. When i go to request a identity certificate i get an error saying "Enrollment interface null" But after it refreshes i show it issued a certificate from the CA Server? next when i go to make my authentication method Both AAA and Certificate i get an error saying

 NON-RESIDENT CERT: serial:
NON-RESIDENT CERT: serial:
RESIDENT CERT: serial:

WARNING: Please check if you have all the required certificate(s) in the config to authenticate the certificates that will be issued using this SCEP URL

Also when i go to start a connection on the vpn i get a failed certificate with an error saying Public key does not meet the minimum size required by the specified certificate template. After checking the public key and the template are both set to 2048. Has anybody else had this issue?

Thank you

9 REPLIES 9
Highlighted

Hi Computerwiz24,

Are you trying Identity enrollment using ASDM or CLI?

SD-WAN Specialist
Spooster IT Services
Highlighted

Currently I'm using ASDM

Highlighted

Hi,

Please follow these steps and check if it helps you:

 Install CA Certificate(s) to allow the ASA to trust the issuer of the SCEP ID Cert installed on the client.


    - Best Practice: Install all CA Certificates from the ASA & AnyConnect issuing CA(s) all the way up the chain to the root CA

    - Note that the log message indicates which ca certificates are already installed (RESIDENT CERT) and which have not been installed yet (NON-RESIDENT CERT).

 

You can also check if the XML profile being used is correct.

Regards,

Aditya

Highlighted

Thank you for the help.  I think im getting closer.  I eneded up going into the IIS manager on server 2012r2 and set the max count to 65384.  Now i can authenicate using both user and certificate and i see the cetificate in the CA but when i go to connect now i still get the untrusted server error and ask if i want to continue?  What am i doing wrong?  I must not have something set up right on the certificate.  Common name maybe?

Thank you 

Highlighted

Hi Computerwiz24,

Do your PC from where you are trying to connect to VPN have the local CA certificate in trusted CA certificate list?

SD-WAN Specialist
Spooster IT Services
Highlighted

No it doesn't.  It is in the personal certificate folder?

Highlighted

You have to add that to the CA trusted list. 

SD-WAN Specialist
Spooster IT Services
Highlighted

Since I have the identity certificate shouldn't it be a trusted certificate already or will I have to move it into trusted certificates on each pc?  Do I have something wrong on the identity certificate and that's why it's not trusted?

thank you 

Highlighted

I think you need to add your Local CA certificate (which you get with identity certificate) to Trusted CA list by right clicking on it. Just check the "Entrerprise Trust" and "Untrusted Certificate" under certificate Manager see highlighted in attachment.

SD-WAN Specialist
Spooster IT Services