Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
5
Replies

Signed SSL certificate still presents as untrusted site on Cisco anyconnect VPN

udensialbern
Level 1
Level 1

‎10-01-2016 06:13 AM - edited ‎02-21-2020 08:59 PM

Dear All, Kindly assist me with this issue.

I have configured anyconnect remote access VPN on cisco ASA. I created a self signed certificate while setting up the VPN. When i try to connect it present me with a message that i am trying to visit an untrusted. I disable it from the client and now i can connect to the VPN using the IP address. 

Now, we went ahead to get a signed SSL certificate from Godaddy and uploaded to the ASA. I deleted the self signed copy i had and associated the new signed Godaddy certificate to the outside interface and the connection profile but i still get the untrusted message when i try to connect using the IP address. if i try to use the FQDN (asa-fw.domain.com) to connect it won't present me with any page. 

My question is this: I want know if i need to host the new domain name i used in signing the certificate (such as asa-fw.domain.com) with the IP address of the ASA as the A-record on the DNS.

Note: We currently own the primary domain name (i.e. domain.com) but we did not host asa-fw.domain.com.

Your quick response with be greatly appreciated.

Thanks

1 person had this problem
Labels:
Preview file
14 KB
0 Helpful
5 Replies 5

JP Miranda Z
Cisco Employee
Cisco Employee

‎10-01-2016 07:27 AM

Hi 

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

udensialbern
Level 1
Level 1
In response to JP Miranda Z

‎10-01-2016 12:47 PM

Hi JP,

Here is result of the sh run all ssl

ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint3 outside
ssl certificate-authentication fca-timeout 2

My ASA is 5525-X with Software Version 9.2(2)4

I still want to know if i need to host the new subdomain i used for signing the ssl certificate. The format of the domain name i used is asa-fw.domainname.com.

Although we own the www.domainname.com which is already our website.

Regards

Udensi

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to udensialbern

‎10-02-2016 11:31 AM

Hi udensialbern,

As long as asa-fw.domainname.com resolves to the public ip of your ASA everything should be working fine. Can you share a sh cry ca certificates? 

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

udensialbern
Level 1
Level 1
In response to JP Miranda Z

‎10-02-2016 11:48 AM

Hi JP Miranda Z,

This is exactly my point. asa-fw.domainame.com is not resolving to the public IP of my ASA. And if i use https://ipaddressofFW it still props me with untrusted site message. What should i do to resolve this.

Thanks

Udensi

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to udensialbern

‎10-02-2016 01:30 PM

The common name (CN) in the certificate must match the FQDN used to access the ASA's public IP address.

Here's how to check and fix it:

1. Check what certificate CN you are getting to verify the certificate is installed and bound correctly. Do this by browsing to the ASA's public IP via https and inspecting the certificate details from your browser.

2. Update the DNS records to match. (For testing purpose you can use a local hosts file file this obviously does not scale to multiple users.)

0 Helpful
Customers Also Viewed These Support Documents