cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
0
Helpful
3
Replies

expired Cisco's Versigin certificate

Hi all and happy easter

 

Actually I try to setup AnyConnect on my new laptop using web deployment of my ASA5505 and get an problem with an expired certificate.

ASA 9.2.3

ASDM 7.4.1

AnyConnect 3.1.7021

 

CN="Cisco Systems, Inc."

From: Jan 03 2013

To: Apr 05 2015

 

 

What I have to do?  In my Certificate list is no Versign Certificate available which is expired on Apr 05 2015.

Temporarily I have added my hostname to the java exception list. But thats not the generally fix I hope ;-)

 

 

regards,

Chris

 

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

That's an odd trustpoint to have bound to your interface.

Can you share the output of:

show crypto ca trustpoints

show ssl

show run ssl

 

Thanks for you answer Marvin,

here the requested output...

 

 

show crypto ca trustpoints

Result of the command: "show crypto ca trustpoints"

Trustpoint COMODO:
    Not authenticated.


Trustpoint ASDM_TrustPoint0:
    Not authenticated.


Trustpoint ASDM_TrustPoint2:
    Configured for self-signed certificate generation.


Trustpoint ASDM_TrustPoint6:
    Not authenticated.


Trustpoint LOCAL-CA-SERVER:
    Subject Name: 
    cn=site.mydomain.com
          Serial Number: 4a
    Certificate configured.


Trustpoint ASDM_TrustPoint3:
    Subject Name: 
    cn=EssentialSSL CA
    o=COMODO CA Limited
    l=Salford
    st=Greater Manchester
    c=GB
          Serial Number: 18f2cbbaa304f1a00fc1f2f326462a4a
    Certificate configured.


Trustpoint ASDM_TrustPoint4:
    Subject Name: 
    cn=COMODO RSA Domain Validation Secure Server CA
    o=COMODO CA Limited
    l=Salford
    st=Greater Manchester
    c=GB
          Serial Number: 2f2e6eead975366c148a6edba37c8c07
    Certificate configured.


Trustpoint ASDM_TrustPoint4-1:
    Subject Name: 
    cn=COMODO RSA Certification Authority
    o=COMODO CA Limited
    l=Salford
    st=Greater Manchester
    c=GB
          Serial Number: 2766fe56eb49f38eabd770a2fc84de22
    Certificate configured.


Trustpoint ASDM_Launcher_Access_TrustPoint_0:
    Configured for self-signed certificate generation.

 

show ssl
 

Result of the command: "show ssl"

Accept connections using SSLv2 or greater and negotiate to TLSv1
Start connections using TLSv1 only and negotiate to TLSv1 only
Enabled cipher order: 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1

SSL trust-points:
  Default: ASDM_TrustPoint2
  inside VPNLB interface: ASDM_TrustPoint2
  inside interface: ASDM_TrustPoint4
  outside interface: ASDM_TrustPoint4
Certificate authentication is not enabled

 
show run ssl

Result of the command: "show run ssl"

ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint2
ssl trust-point ASDM_TrustPoint2 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint4 inside
ssl trust-point ASDM_TrustPoint4 outside

 

 

 

 

 

That's even more odd - none of your trustpoints have the CN ' "Cisco Systems Inc.". Your outside interface should report the CN associated with trustpoint4 (COMODO) - even though that's not the right one to have configured - it's a root CA certificate and not a device certificate.

Has someone tried and failed to change this setup recently?