05-18-2012 02:50 AM
Hi all,
I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
!
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
inservice
!
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
url-list "Intranet"
heading "Corporate Intranet"
url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
url-text "Impresora" url-value "http://192.168.10.100"
url-text "DMM" url-value "https://pc.sumkio.local:8443"
url-text "DMM 1" url-value "http://192.168.10.10:8080"
url-text "UC520" url-value "http://192.168.10.1"
!
!
policy group SDM_WEBVPN_POLICY_1
url-list "Intranet"
mask-urls
svc dns-server primary 192.168.10.250
svc dns-server secondary 8.8.8.8
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
!
Any help would be apreciatted.
Thank you
05-25-2012 01:03 AM
Hi Pablo,
you will need to create a trustpoint and import either:
- the server certificate (in this case you need 1 trustpoint per server)
or
- the issuer certificate (e.g. if all your servers have a cert issued by Globalsign, then import the Globalsign signing certificate)
hth
Herbert
05-25-2012 01:36 AM
hi,
Thanks for your answer but I don't know how doing that.
I have 3 files, one is .crt, another is .ca and the last is .prv.
All these are from the UC520.
This certificate is self-signed.
Which file should I export to the Cisco Digital Media Manager?
And how can I do that?
Or should I have to import the CA from the DMM to the Uc520?
I'm really lost
05-25-2012 02:16 AM
Hi Pablo,
you do not need to do anything on the DMM.
On the router, you need to import the DMM server certificate OR the CA certificate of the CA that the DMM received its cert from.
Off the top of my head, you would need something like:
conf t
crypto pki trustpoint DMMCA
enrollment terminal
exit
exit
crypto pki authenticate DMMCA
OR
crypto pki import ...
to import the server cert.
(check the options, don't know them by heart)
Sorry for the condensed response - hope to have more time later or next week if you need more help.
H
05-25-2012 02:18 AM
05-25-2012 02:38 AM
Hi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
-----BEGIN CERTIFICATE-----
MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
.............
KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
-----END CERTIFICATE-----
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much
05-25-2012 02:51 AM
It sounds like you're doing the right things, the cert format looks good, so not sure why it is saying "
Error in saving certificate:". You may need to use "crypto pki import ..." instead of authenticate.
Would you mind posting the entire cert in PEM format (or send it to me privately - click on my name, then on my profile page click "send private message") ?
Can't promise a response in the next few days though.
H
06-05-2012 01:07 PM
Hi Pablo,
Thanks for sending me the cert. I tried importing it and see the same problem, but when I examine the cert with openssl it seems fine - but then I noticed that it has a very long validity, until the year 2112; I think this is causing the problem.
I found this bug on ASA:
CSCsu27196 ASA should support certificates with dates after Jan 19 2038
but I believe IOS has the same problem, although I cannot immediately find a bug ID for it.
Could you try issuing a new self-signed cert on the DMM server, with a shorter validity, e.g. until 2037 ?
hth
Herbert
07-19-2013 02:17 AM
Hi Herbert
I have read your suggest
you will need to create a trustpoint and import either:
- the server certificate (in this case you need 1 trustpoint per server)
Is that mean we should ask the server owner to get the valid certificate for insert into cisco router 1941?
I have no idea how to get the certificate for gmail if we prefer to access this webmail service through ssl vpn.
Moreover, how can we use that cert in case the valid cert is already insert into the router, becuase the router is already using this
"#crypto pki trustpoint TP-self-signed-3430371784" for client
which command i should use that for the valid certificate?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide