Solved: [SOLVED] Anyconnect VPN using Local ASA based CA Server Cert errors

Devinder Sharma · ‎01-08-2017

Hello All,

A customer needs to use certificate based authentication for users to VPN into ASA. They don't have any Microsoft CA and neither do they wish to buy public certs for ASA and users.

I just tested in lab to use local CA server (followed the link below) and even though the window laptop has the user cert (issued by ASA CA) and CA (ASA) cert imported and placed into personal and trusted root cert stores, Anyconnect still complains:

Anyconnect cannot verify server: aaa.bbb.local (this is ASA FQDN, the issuer-name and the Subject name default)

Certificate does not match the server name.

certificate is from an untrusted source.

I have done few times username / password based VPN with self signed cert of ASA imported into windows laptops and that has removed these warnings, but I am not sure what could be the issue here.

I only had ASA5505 in lab and it is running 9.2.4 and Anyconnect is latest 4.2 on windows 10. Tested on two win10 machines with same results.

Here is the document followed:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200602-Configure-ASA-as-a-Local-CA-Server-and-A.html

Thanks so much

Rahul Govindan · ‎01-09-2017

The ASA itself does not enroll for a certificate with Local CA, only the endpoints. This is documented in the same guide you had used:

"Currently the ASA cannot enroll to the local CA server for the identity certificate"

As you mentioned above, the ASA should have a different certificate that is issued by another CA (public CA preferable) to use as an identity certificate.

View solution in original post

Mohammed al Baqari · ‎01-08-2017

Hi,

In the ASA, you need to have the Root Certificate for your CA server installed along with the identity certificate which was obtained from the local CA. You need to make sure that the domain-name used to connect to AnyConnect VPN is same as identity certificate CN.

You need to have the Root Certificate for the CA server and ASA identity certificate in your Trusted Root Store.

Make sure that all your devices and ASA are synched to NTP to avoid time errors.

Devinder Sharma · ‎01-09-2017

Thanks Mohammed for looking into this.

The CA is ASA itself, not an external local like Microsoft CA. So there is nothing like identity certificate installed. And the root cert of the ASA (CA) along with the identity cert of the user (issued / signed by ASA) are both installed on the laptop as part of the PFX bundle install that laptop downloads via https into the ASA.

I am suspecting that ASA may not be using its CA cert , but its default Temp Self Signed Cert (I will check that in couple of hours when I am back in lab). In newer codes of 9.3 onward, Cisco ASA starts using elliptical encryption ciphers if the client is capable, and if the cert installed is not using such cipher, then it will start serving its self signed, and I am aware of that issue for couple of years and fix has been to set up ssl ciphers for non elliptical / AES only. But that should not be the case here as 5505 is using the last available 9.2 code and the code does not support elliptical ciphers and TLS1.1/1.2 and neither does command ssl cipher available in that code.

In case of local CA use, it automatically of course creates trustpoint, and no separate ssl trust-point NAME outside is used, so I am not sure how to ensure that outside interface use the local installed CA cert.

Thanks so much and let me know if there is anything else I should be checking.

Devinder Sharma · ‎01-09-2017

Further research, I did find that it will always use ASA Temporary Self Signed Cert when presenting to VPN clients in my case, so the correct procedure requires a Third Party CA signed Cert to be installed on ASA for this purpose, and local CA on ASA will issue user certs that are then validated by ASA.

Mohammed al Baqari · ‎01-09-2017

That isn't true. You can map the certificate to be used with the interface where your request is hitting.

In ASDM navigate to Configuration > Remote Access VPN > Advanced > SSL Settings. In the bottom you can map certificates to interfaces.

From CLI use the command, ssl trust-point STAR_TEST_COM OUTSIDE

Devinder Sharma · ‎01-09-2017

Local CA cert cannot be associated to outside interface. As I mentioned, it was not clear that with Local CA, it will not use a self signed cert signed by its own CA and to use as the interface cert. My further tests confirm that regardless, these are two separate things, we need a Public signed Cert for interface and then local CA can issue user certs.

Thanks for help and very best of new year.

Rahul Govindan · ‎01-09-2017

The ASA itself does not enroll for a certificate with Local CA, only the endpoints. This is documented in the same guide you had used:

"Currently the ASA cannot enroll to the local CA server for the identity certificate"

As you mentioned above, the ASA should have a different certificate that is issued by another CA (public CA preferable) to use as an identity certificate.

Mohammed al Baqari · ‎01-09-2017

Ok this is correct. I misunderstood the previous post. Looking for local CA server to generate enterprise certificates.