Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
384
Views
0
Helpful
7
Replies

Cisco Anyconnect VPN getting Untrusted server certificate error

Go to solution
amitspanchal
Level 1
Level 1

ā€Ž05-28-2024 04:07 AM

I am getting untrusted server certificate error while connecting to the VPN. I have installed the certificate and is showing valid.

amitspanchal_0-1716894537396.png

 

amitspanchal_1-1716894575321.png

 

Note the certificate is wildcard certificate.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to amitspanchal

ā€Ž05-28-2024 05:08 AM

@amitspanchal if you create and FQDN called firepower.abc.com and connect to firepower.abc.com from anyconnect/secure client and the wildcard on the FTD is *.abc.com you will not receive the certificate error. The FQDN used to connect to the VPN must be valid on the certificate. You are receiving the error because you connect to the IP address, which obviously does not match the wildcard domain.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

ā€Ž05-28-2024 04:37 AM

@amitspanchal

I assume the FQDN used in anyconnect matches the wildcard domain?

Have you enabled this certificate trustpoint on the outside interface?

ssl trustpoint <trustpoint name> OUTSIDE  

...otherwise the ASA will not be using that certificate.

0 Helpful

Go to solution
amitspanchal
Level 1
Level 1
In response to Rob Ingram

ā€Ž05-28-2024 04:40 AM

Yes ROB,

I have enabled this certificate on the outside interface.

ssl trust-point Hobasa_cert
webvpn
enable outside

amitspanchal_0-1716896594550.png

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to amitspanchal

ā€Ž05-28-2024 04:45 AM

Ok, I can see you are attempting to connect to the IP address 27.10*.*.* not the FQDN. It will display this error, you need to connect to the FQDN that matches the wildcard domain.

0 Helpful

Go to solution
amitspanchal
Level 1
Level 1
In response to Rob Ingram

ā€Ž05-28-2024 05:03 AM

Hi Rob,

Thanks for your response. So suppose I have a wildcard certificate which is issued to *.abc.com and if I create a DNS entry for my firewall on the internet like firepower.abc.com and use this FQDN for Anyconnect VPN. So after that will I be getting the same certificate error?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to amitspanchal

ā€Ž05-28-2024 05:08 AM

@amitspanchal if you create and FQDN called firepower.abc.com and connect to firepower.abc.com from anyconnect/secure client and the wildcard on the FTD is *.abc.com you will not receive the certificate error. The FQDN used to connect to the VPN must be valid on the certificate. You are receiving the error because you connect to the IP address, which obviously does not match the wildcard domain.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to amitspanchal

ā€Ž05-29-2024 11:39 PM - edited ā€Ž05-30-2024 03:28 AM

Thanks 

MHM

0 Helpful

Go to solution
amitspanchal
Level 1
Level 1

ā€Ž05-29-2024 10:33 PM

Hi Rob,

This thing worked for me. Thank you very much for your help.

0 Helpful
Customers Also Viewed These Support Documents