ASA SSL Self Signed Certificate error message

ahurtadove · ‎02-17-2016

Hi!

I have followed this configuration guide https://supportforums.cisco.com/document/44116/asa-self-signed-certificate-webvpn

Only changed fqdn and CN. When connecting to the VPN I constantly get the SSL certificate warning. I know this is because the certificate issuer is not known. The thing is that even installing the certificate in the Trusted Root CAs (user and machine) everytime I try to connect it will show the annoying message.

I finally added

id-usage ssl-ipsec
revocation check crl none

and still nothing, the message still appears. ASA is v9.1

What could this be?

Thank you

Philip D'Ath · ‎02-17-2016

If you have the certificate installed in the Trusted Root CA and somewhere else, then it seems to become untrusted again.

Try deleting every copy in the certificate store, and then only importing it into the machine trusted root CA store.

ahurtadove · ‎02-18-2016

I tried that with no luck.

The error basically means that the site I'm trying to connect to is not the same name as the certificate. This is true as I'm trying to connect to 98.xx.xx.xx:XXX public address and the self signed certificate is issued to a vpn.[company].org

How am I able to make this certificate so it presents the IP address in some field?

I tried doing the hosts file trick and it works, I manually added the host and its IP and have no problem but this seems rather intrusive. Also, what would happen if another program edits the hosts file (as anyconnect does) and everything breaks.

Regards

Philip D'Ath · ‎02-18-2016

You can't connect to an IP address and not get a certificate error. The certificate validates that the FQDN matches what has been typed in.

Can you not just get a DNS entry added?