12-18-2016 10:22 PM - edited 02-21-2020 09:06 PM
Hi Guys,
I configured my ASAv running version 9.6.2 with clientless ssl vpn. I imported the plugin rdp02.24.2014.jar
My ssl vpn portal can be accessed publically with a trusted cert from a trusted CA (A valid certificate showing secured connection).
However, when I tried to access my machines through RDP, java blocked it with the error "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
Can anyone guide me how to solve this issue?
Thanks.
12-19-2016 06:47 PM
Hi Tan,
So the Java applet (RDP in this case) is signed by Cisco, but this usually expires unless you get a Java code signing cert and sign the applet again. This is not the public certificate that you have for the external fqdn. More info here:
Now, since these plugins were released in 2014, the certs are most likely expired. So a workaround would be to add the ASA ip address/fqdn into the Java exception list, so that you can bypass the error that the Java creates when it sees an expired cert.
12-20-2016 12:05 AM
Hi Rahul,
Thanks for the explanation. I tried replacing the java code signing certificate with the one I got from CA but I received another error from java, "Extended key usage does not permit use for code signing"
Any idea on what have went wrong?
12-20-2016 06:24 AM
Usually the SSL certificates received from public CA's do not contain the Extended Key usage (EKU) for code signing. This field defines what purposes the certificates can be used for. For a typical SSL certificate, the EKU field is set to "Server Authentication".
Now as given in the document I pasted earlier, you would have to generate a new Certificate Signing Request (CSR) with EKU set to code-signer (last line):
hostname(config)# crypto key generate rsa label CodeSigner INFO: The name for the keys will be: CodeSigner Keypair generation process begin. Please wait... hostname(config)# crypto ca trustpoint CodeSigner hostname(config-ca-trustpoint)# enrollment terminal hostname(config-ca-trustpoint)# subject-name CN=ASA-Code-Signer,O=Companyname hostname(config-ca-trustpoint)# keypair CodeSigner hostname(config-ca-trustpoint)# id-usage code-signer
Once you generate the CSR, send this to your CA to get a new certificate with the right EKU and apply that as the code signing cert. If the CA adds its own EKU, then you can get a certificate with EKU set to Server Auth and Code signing, which should allow you to use it for both purposes. Would be best to check with your CA on that before the process.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: