cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4830
Views
20
Helpful
4
Replies
Highlighted
Enthusiast

Can't generate the self-signed cert for the Anyconnect VPN

I am playing with the anyconnect vpn on my spare 2921 router. When I follow the instruction to create a trustpoint and enroll a self-signed cert, I got this error:

crypto pki trustpoint my-trustpoint
 enrollment selfsigned
 subject-name CN=anyconnect.pason.com
 rsakeypair my-rsa-keys
!
(config)#crypto pki enroll my-trustpoint
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL

As a troubleshooting step, I tried to enable the HTTP secure server, I also got this error

anyconnect(config)#ip http secure-server
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

Any idea why? Is it because I don't have a license? Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Re: Can't generate the self-signed cert for the Anyconnect VPN

4 REPLIES 4
Highlighted
VIP Mentor

Re: Can't generate the self-signed cert for the Anyconnect VPN

Highlighted
Enthusiast

Re: Can't generate the self-signed cert for the Anyconnect VPN

Hi Karstan, yes I do -  Version 16.6.6

I have also tried to factory reset the router and configured the pki the first thing and I still got the same error...

I will read your link. Thanks for that.

 

Hi Karsten, I apologize for replying without reading your link... I did not know there was a bug. I thought you just asked a general question. I will upgrade to the latest and try again. Thanks!

Highlighted
Enthusiast

Re: Can't generate the self-signed cert for the Anyconnect VPN

Thank you Karsten, the upgrade fixed the problem.

Highlighted
Beginner

Re: Can't generate the self-signed cert for the Anyconnect VPN

This's cool. thank you very mush. the link take me solved the question(https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html).

In my opinion,If the time can return to before January 1, 2020,the problem may be solved. so I set router time to January 1, 2019(clock set 15:00:00 Ian 1 2019) ,it is a wonder that I guess right.