06-21-2015 06:43 PM - edited 02-21-2020 08:18 PM
ASA 5506 running 9.4(1)1 with a GoDaddy SHA-256 certificate installed with a key size of 2048. I install the root and secure from GoDaddy along with the identity cert in respective trustpoints and all seems well. I connect to the https:// interface from a remote client using IE 9 and I get the cert as expected. I connect from the same client using Chrome 44 and I get the self-signed cert instead?! TLS 1-1.2 is supported. Config below.
crypto ca trustpoint sslvpn.g3networks.net
enrollment terminal
fqdn vpn.g3networks.net
subject-name CN=sslvpn.g3networks.net,OU=IT,C=US,St=TN
keypair RSA2048
crl configure
crypto ca trustpoint GoDaddyRoot
enrollment terminal
crl configure
crypto ca trustpoint GoDaddyG2
enrollment terminal
crl configure
ssl trust-point sslvpn.g3networks.net outside
g3asa5506(config)# sh cry ca certificates
Certificate
Status: Available
Certificate Serial Number: 00c60f5cc9c30be998
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=sslvpn.g3networks.net
ou=Domain Control Validated
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdig2s1-87.crl
Validity Date:
start date: 17:46:38 CDT Jun 21 2015
end date: 17:58:35 CDT Jul 3 2017
Associated Trustpoints: sslvpn.g3networks.net
CA Certificate
Status: Available
Certificate Serial Number: 1be715
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
ou=Go Daddy Class 2 Certification Authority
o=The Go Daddy Group\, Inc.
c=US
Subject Name:
cn=Go Daddy Root Certificate Authority - G2
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdroot.crl
Validity Date:
start date: 01:00:00 CST Jan 1 2014
end date: 02:00:00 CDT May 30 2031
Associated Trustpoints: GoDaddyG2
CA Certificate
Status: Available
Certificate Serial Number: 07
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Go Daddy Root Certificate Authority - G2
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
OCSP AIA:
URL: http://ocsp.godaddy.com/
CRL Distribution Points:
[1] http://crl.godaddy.com/gdroot-g2.crl
Validity Date:
start date: 02:00:00 CDT May 3 2011
end date: 02:00:00 CDT May 3 2031
Associated Trustpoints: GoDaddyRoot
g3asa5506(config)# sh ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group2 (1024-bit modulus)
SSL ECDH Group: group19 (256-bit EC)
SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Interface outside: sslvpn.g3networks.net (RSA 2048 bits RSA-SHA256)
Certificate authentication is not enabled
g3asa5506(config)# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point sslvpn.g3networks.net outside
ssl certificate-authentication fca-timeout 2
g3asa5506(config)#
06-21-2015 09:23 PM
Hi Jake,
I see the same self-signed certificate for that ASA using IE, Chrome, Firefox and AnyConnect itself.
Did you perhaps create the self-signed certificate first using the FQDN etc.?
Have a look at "show crypto ca trustpoints" - it may be informative.
06-22-2015 07:27 AM
There's the rub. From the output below I see 'Not authenticated' but I'm not sure why.
g3asa5506# sh cry ca trustpoints
Trustpoint sslvpn.g3networks.net:
Not authenticated.
Trustpoint GoDaddyRoot:
Subject Name:
cn=Go Daddy Secure Certificate Authority - G2
ou=http://certs.godaddy.com/repository/
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Serial Number: 07
Certificate configured.
Trustpoint GoDaddyG2:
Subject Name:
cn=Go Daddy Root Certificate Authority - G2
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Serial Number: 1be715
Certificate configured.
g3asa5506#
06-22-2015 08:56 AM
So I ended up creating a TAC case and they stated the following when using certs in 9.4 and TLS
For version 9.4.(x) we have the following information:
That said I issued the command below and was able to resolve the issue.
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-
06-22-2015 07:27 PM
Oh - you were hitting that one. A couple of folks have come across that.
It's mentioned in the release notes but is a pretty goofy default behavior from Cisco. Never before has an a new ASA release messed up certificates like 9.4(1) has.
Thanks for updating the thread with your resolution. +5. :)
10-01-2015 08:38 AM
I experienced this last night after updating my anyconnect license on the ASA. So glad you already found the solution. Saved me from myself today. Thanks for sharing!
01-27-2016 09:01 AM
This solution also helped me. Thanks!
05-19-2016 08:17 AM
I used this solution for Digicert wildcard Certificate.
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide