01-22-2013 10:55 AM
I've been over the many other posts on this issue, and they all seem a little different, so I started my own thread.
I have deployed AnyConnect 3.1.02026 to my users via the ASA, and we all get the Untrusted VPN Server Cert warning when connecting.
When the ASA deploys the client, it puts the outside IP of the ASA as the hostname, which is causing the error.
So I have two questions: 1. How do I get the ASA to make the hostname "vpn.cfo.com" when a user installs the client and 2. How do I change my cert so it doesn't show the internal name of the ASA and uses "vpn.cfo.com" instead?
Here's all the info anyone should need to help (I think)
ssl trust-point ASDM_TrustPoint0 OUTSIDE_PRIMARY
Certificate
Status: Available
Certificate Serial Number: *********
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=ambossfw01.cfopub.net
cn=ambossfw01
Subject Name:
hostname=ambossfw01.cfopub.net
cn=ambossfw01
Validity Date:
start date: 15:17:42 EDT Jun 2 2011
end date: 15:17:42 EDT May 30 2021
Associated Trustpoints: ASDM_TrustPoint0
CA Certificate
Status: Available
Certificate Serial Number: ******************************
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=VeriSign Class 3 Public Primary Certification Authority - G5
ou=(c) 2006 VeriSign\, Inc. - For authorized use only
ou=VeriSign Trust Network
o=VeriSign\, Inc.
c=US
Subject Name:
cn=VeriSign Class 3 Secure Server CA - G3
ou=Terms of use at https://www.verisign.com/rpa (c)10
ou=VeriSign Trust Network
o=VeriSign\, Inc.
c=US
OCSP AIA:
CRL Distribution Points:
[1] http://crl.verisign.com/pca3-g5.crl
Validity Date:
start date: 19:00:00 EST Feb 7 2010
end date: 18:59:59 EST Feb 7 2020
Associated Trustpoints: _SmartCallHome_ServerCA
Any help would be greatly appreciated.
Solved! Go to Solution.
01-26-2013 02:26 PM
Hi,
Cisco has made strict verification of KU and EKU in recent AnyConnect releases, this leads to the warning you got.
To my knowledge, if you downgrade to 3.1.00495, you will not get this warning, otherwise, you need to get valid KU and EKU fields in your ASA certificate.
To use specific trustpoint, please check the command "ssl truspoint
Mashal
01-22-2013 10:56 PM
Create a new self signed certificate by creating a new trustpoint, and when you create the certificate, configure the subject-name to be
"CN=vpn.cfo.com" as follows:
subject-name CN=vpn.cfo.com
Then apply the newly created trustpoint to the outside interface.
Here is a URL for your reference to generate the self signed certificate with the correct CN:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
Hope that helps.
01-23-2013 06:09 AM
That looks like what I need, because apparently I was digging around in the wrong place. I've configured the new cert and now I need to reload the ASA (tonight).
Thanks for your help!
01-25-2013 07:37 AM
I followed all the directions, but unfortunately I'm still getting the warning. This time it gives me the correct FQDN in the warning, so I'm not really sure what the problem is. It still says that the cert is untrusted.
Any other ideas?
Thanks.
01-25-2013 07:43 AM
The actual AnyConnect uses new settings that control the "extended key-usage" in the certificate. Sadly, certificates with that field can't be configured locally on the ASA. You should deploy a certificate from a public CA. There are many cheap CAs and even some with free certificates.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-25-2013 07:44 AM
Thanks, I will try that out.
01-25-2013 09:11 AM
I created a public cert using CACert.org, installed it, and I'm still getting the "Certificate is from an untrusted source" error. This is progress, but it still requires the user to check the trust box and then connect. The higher-ups want it to be seamless with is a little interaction as possible. What step did I miss if I'm getting the untrusted source error?
01-25-2013 09:14 AM
Additional info: I noticed that the CAcert.org CA cert that I installed is associated with Trustpoint3, while the new Identity Certificate is associated with TrustPoint2. Is this the problem? How do I associate the CA cert from CAcert.org with TrustPoint2? I don't recall ever getting an option to do this.
01-26-2013 02:26 PM
Hi,
Cisco has made strict verification of KU and EKU in recent AnyConnect releases, this leads to the warning you got.
To my knowledge, if you downgrade to 3.1.00495, you will not get this warning, otherwise, you need to get valid KU and EKU fields in your ASA certificate.
To use specific trustpoint, please check the command "ssl truspoint
Mashal
01-29-2013 01:59 PM
It turns out I needed to use a legit SSL cert, and not use the self-signed cert. So I bought one, and everything works now.
03-17-2013 02:50 PM
I am having the same issue.
where did you buy your new certificate from?
11-02-2013 11:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide