Solved: Re: Identity Cert still kicking off warnings

lhoyle · ‎04-23-2020

I exported my identity cert off of my existing production ASA for AnyConnect clients and imported it to my new ASA.

Without making a DNS change, but using a hosts file entry for the name, I still get a Identity warning when connecting my AnyConnect client.

When I first installed this cert on the existing prod ASA, I had several alternate DNS names added to the cert, and I changed one of them to the new firewall's outside address. That isn't working either!

The exact same 2 identity certs are on both ASA's. Any ideas?

Thank you in advance.

Rob Ingram · ‎04-23-2020

Hi,

When you imported the certificate to the trustpoint, did you enable the certificate on the outside interface. e.g.

ssl trust-point VPN_TP OUTSIDE

Is the certificate issued by a public CA?

Does the client computer trust the CA in use by the ASA?

HTH

View solution in original post

Rob Ingram · ‎04-23-2020

Hi,

When you imported the certificate to the trustpoint, did you enable the certificate on the outside interface. e.g.

ssl trust-point VPN_TP OUTSIDE

Is the certificate issued by a public CA?

Does the client computer trust the CA in use by the ASA?

HTH

Marvin Rhoads · ‎04-23-2020

Inspect the certificate using a browser the the webvpn portal on the new ASA. That will usually highlight whether you are using the intended certificate and what fields (CN, SAN etc.) it is presenting to the client.

Generally speaking, either the CN or a SAN must match the FQDN the client is using.