does asa ssl certificate have to match device name to be trusted

Alex Willoughby · ‎05-15-2013

Hi all,

I have installed a SSL certificate for ssl/anyconnect VPNS onto my asa, my cert is named vpn.domain.co.uk but the device is named webasa.domain.co.uk

when i browse to the site using chrome i get

"you attempted to reach vpn.domain.co.uk but instead you reached a server identifying itsself as webasa.domain.co.uk..." not trusted etc...

i have set the ssl trustpoint to vpn.domain.co.uk certificate and when i browse the certificate via browser i can see its correctly assiging the right one.

so based on the debug, does my device have to have the same name as the cert?

Thanks

Karsten Iwen · ‎05-15-2013

no, the devicename doesn't have to match (for my ASAs, the VPN-names never match the device-name). But the name in the certificate has to match the name you use to access the ASA.

Thats what it should look like for you (probably a different CA then the one on my home-asa):

asa# sh crypto ca certificates

Certificate

Status: Available

Certificate Serial Number: 09bc97

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

cn=StartCom Class 1 Primary Intermediate Server CA

ou=Secure Digital Certificate Signing

o=StartCom Ltd.

c=IL

Subject Name:

cn=vpn.domain.co.uk

...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Alex Willoughby · ‎05-15-2013

hmmm,

i did have two identity certificate previously and ive now removed one of them, the other was called webasa, which is what im getting the error at

But browsing to the site is still giving me the error as above, is there any other outputs that may prove useful?

Thanks

WEBASA# sh crypto ca cert

Certificate

Status: Available

Certificate Serial Number: 123456789

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

cn=ca

dc=domain

dc=co

dc=uk

Subject Name:

cn=vpn.domain.co.uk

CRL Distribution Points:

Validity Date:

start date: 11:14:45 GMT/BDT May 9 2013

end date: 11:14:45 GMT/BDT May 9 2015

Associated Trustpoints: VPN.DOMAIN.CO.UK_Trust

Karsten Iwen · ‎05-15-2013

Have you assigned ther certificate to the right interface? And you really use "vpn.domain.co.uk" as the fqdn for the connection?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Alex Willoughby · ‎05-15-2013

ssl trust-point VPN.DOMAIN.CO.UK_Trust outside

well i use myactual domain instead of domain, ive just removed it for sensitivty

will i need to reload the asa or is anything to get the new vpn.domain.co.uk certificate active on the interface?

Karsten Iwen · ‎05-15-2013

 ssl trust-point VPN.DOMAIN.CO.UK_Trust outside

ok, that's correct

well i use myactual domain instead of domain, ive just removed it for sensitivty

yes, I just wanted to make sure that you didn't use the IP or a different FQDN that also points to the ASA.

will i need to reload the asa or is anything to get the new vpn.domain.co.uk certificate active on the interface?

I'm pretty sure that there is no reload needed. But if it doesn't work it's always a worth try if you can do that.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Alex Willoughby · ‎05-15-2013

I doubt i will be able to reboot it anytime soon, are there any other debug commands i can use to investigate?

Thanks

does asa ssl certificate have to match device name to be trusted?