Showing results for 
Search instead for 
Did you mean: 

Clientless SSL VPN - RDP blocked by java

Tan Jay Sern

Hi Guys,

I configured my ASAv running version 9.6.2 with clientless ssl vpn. I imported the plugin rdp02.24.2014.jar

My ssl vpn portal can be accessed publically with a trusted cert from a trusted CA (A valid certificate showing secured connection). 

However, when I tried to access my machines through RDP, java blocked it with the error "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"

Can anyone guide me how to solve this issue?


3 Replies 3

Rahul Govindan

Hi Tan,

So the Java applet (RDP in this case) is signed by Cisco, but this usually expires unless you get a Java code signing cert and sign the applet again. This is not the public certificate that you have for the external fqdn. More info here:

Now, since these plugins were released in 2014, the certs are most likely expired. So a workaround would be to add the ASA ip address/fqdn into the Java exception list, so that you can bypass the error that the Java creates when it sees an expired cert.

Hi Rahul,

Thanks for the explanation. I tried replacing the java code signing certificate with the one I got from CA but I received another error from java, "Extended key usage does not permit use for code signing" 

Any idea on what have went wrong?

Usually the SSL certificates received from public CA's do not contain the Extended Key usage (EKU) for code signing. This field defines what purposes the certificates can be used for. For a typical SSL certificate, the EKU field is set to "Server Authentication".

Now as given in the document I pasted earlier, you would have to generate a new Certificate Signing Request (CSR) with EKU set to code-signer (last line):

hostname(config)# crypto key generate rsa label CodeSigner
INFO: The name for the keys will be: CodeSigner
Keypair generation process begin. Please wait...
hostname(config)# crypto ca trustpoint CodeSigner
hostname(config-ca-trustpoint)# enrollment terminal
hostname(config-ca-trustpoint)# subject-name CN=ASA-Code-Signer,O=Companyname
hostname(config-ca-trustpoint)# keypair CodeSigner
hostname(config-ca-trustpoint)# id-usage code-signer

Once you generate the CSR, send this to your CA to get a new certificate with the right EKU and apply that as the code signing cert. If the CA adds its own EKU, then you can get a certificate with EKU set to Server Auth and Code signing, which should allow you to use it for both purposes. Would be best to check with your CA on that before the process.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: