Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1548
Views
0
Helpful
3
Replies

Security Warning for ASA SSL VPN using Wildcard Certificate

rfranzke
Level 1
Level 1

‎03-20-2014 03:20 PM

Greetings,

 

Setting up WebVPN for ASA5515X. Everything works as designed except I am getting security warnings when initiating connection. Something to the effect of:

Untrsted VPN Server Blocked

I use a Netsol issued Wildcard Certificate. It been imported with the keys and the cert chain. Seems when I connect to the ASA using SSL VPN I have to connect using the hostname and domain name configured on the ASA for it to not throw security warnings. Is there some way to tell the ASA to match using something other than the configured local hostname and domain so I can stop these warnings? Thanks in advance.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-20-2014 04:19 PM

If you use anything other than the FQDN* configured in the certificate (which should match that of the ASA) you will get the browser and/or Anyconnect warning. You can click past the warning in the web interafce or tell AnyConnect via its preferences settings to not "Block Connections to Untrusted Servers" (generally not recommended) and still connect though either seems a bit silly if you've gone to the trouble to purchase and install a certificate.

 

*Technically your certificate isn't "fully" qualified with the wildcard but the non-woldcarded bits must match.

0 Helpful

rfranzke
Level 1
Level 1
In response to Marvin Rhoads

‎03-21-2014 07:26 AM

Thanks for the reply. I understand normally you would want have the hostnames match to get the cert warning to go away. What I was wondering is if you could tell the ASA to use something other than the hostname for matching. My devices hostnames are based on function/location etc. I don't really want to give that away to users by having them connect to some cab01-asa-10.domain.com URL. I would prefer to not change the hostname either to match the URL I give users just to support this functionality. The wildcard cert works if I set up local host entries on my machine for the hostname of the device so I know changing the hostname will fix the issue. Would like to avoid that if possible.

 

Does anyone know if I change the hostname do I need to do anything with the cert/trustpoint already configured to get it to work? Maybe reload the cert for use with the new hostname? Thanks again for the reply.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rfranzke

‎03-21-2014 08:24 AM

Hmm, I'm not positive but I see what you're asking.

If I understand correctly how the certificates work, it's actually the "cn" (common name) value on the certificate that's be compared to the FQDN the client browsed to. Usually the cn is the same as the device hostname. It doesn't have to be though. cn could be the user-friendly name and hostname could be the name useful to the IT team.

Since your certificate cn is * (wildcard), it seems to me if your DNS record (or local hosts file) maps cn.yourcompany.com to your ASAs outside address and the ASA has the certificate *.yourcompany.com installed it might work OK. It's worth a try.

0 Helpful
Customers Also Viewed These Support Documents