Solved: SSL VPN, is there a way to not have it display the 'untrusted si

iowaelectronics · ‎09-24-2012

SSL VPN, is there a way to not have it display the 'untrusted site' warning when connecting. I have a trusted 3rd party cert installed on the ASA. Is there a way when I connect to it via the Web to not have it give the users the below page and just go to the login. If they hit continue it works but we're looking for a way of removing this error.

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Click here to close this webpage.

Continue to this website (not recommended).

More information

Javier Portuguez · ‎09-24-2012

Hi Jason,

Please do the following:

1- no ssl trustpoint ssl.axisbu.com.trustpoint outside

2- webvpn

no enable outside

exit

3- ssl trustpoint ASDM_TrustPoint3 outside

4- webpvn

enable outside

It looks like it is not presenting the right certificate, probably the self-signed got stuck, please follow the steps and let me know.

Thanks.

Portu.

View solution in original post

Javier Portuguez · ‎09-24-2012

Hi Jason,

So you installed a third party certificate and you still see the cert warning?

Where is this 3rd party cert from? Godaddy, Entrust, Verisign?

Please attach the "show run ssl" output.

Thanks.

Portu

iowaelectronics · ‎09-24-2012

Yes, its from Godaddy

The command

"show run ssl" output.gave me this

ssl trust-point ssl.axisbu.com.trustpoint outside

Javier Portuguez · ‎09-24-2012

Please attach the following command:

show crypto ca certificate ssl.axisbu.com.trustpoint

Thanks.

iowaelectronics · ‎09-24-2012

Hope this helps, SSL problems always kill me.

Certificate

Status: Available

Certificate Serial Number: 079872d98e66fb

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Issuer Name:

serialNumber=07969287

cn=Go Daddy Secure Certification Authority

ou=http://certificates.godaddy.com/repository

o=GoDaddy.com\, Inc.

l=Scottsdale

st=Arizona

c=US

Subject Name:

cn=ssl.axisbu.com

ou=Domain Control Validated

o=ssl.axisbu.com

OCSP AIA:

URL: http://ocsp.godaddy.com/

CRL Distribution Points:

[1] http://crl.godaddy.com/gds1-76.crl

Validity Date:

start date: 16:01:44 CDT Sep 17 2012

end date: 12:22:09 CDT Jul 25 2015

Associated Trustpoints: ssl.axisbu.com.trustpoint

CA Certificate

Status: Available

Certificate Serial Number: 0301

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Issuer Name:

ou=Go Daddy Class 2 Certification Authority

o=The Go Daddy Group\, Inc.

c=US

Subject Name:

serialNumber=07969287

cn=Go Daddy Secure Certification Authority

ou=http://certificates.godaddy.com/repository

o=GoDaddy.com\, Inc.

l=Scottsdale

st=Arizona

c=US

OCSP AIA:

URL: http://ocsp.godaddy.com

CRL Distribution Points:

[1] http://certificates.godaddy.com/repository/gdroot.crl

Validity Date:

start date: 19:54:37 CST Nov 15 2006

end date: 19:54:37 CST Nov 15 2026

Associated Trustpoints: ssl.axisbu.com.trustpoint

Javier Portuguez · ‎09-24-2012

Hi Jason,

Please do the following:

1- no ssl trustpoint ssl.axisbu.com.trustpoint outside

2- webvpn

no enable outside

exit

3- ssl trustpoint ASDM_TrustPoint3 outside

4- webpvn

enable outside

It looks like it is not presenting the right certificate, probably the self-signed got stuck, please follow the steps and let me know.

Thanks.

Portu.

iowaelectronics · ‎09-24-2012

I get this erro on the first command

no ssl trustpoint ssl.axisbu.com.trustpoint outside

^

ERROR: % Invalid input detected at '^' marker.

Javier Portuguez · ‎09-24-2012

Jason,

Did you try in global configuration mode?

Thanks.

iowaelectronics · ‎09-24-2012

I just rebooted the ASA and it is working now. SOmetimes you just have to reboot.

Thanks for your help

Javier Portuguez · ‎09-24-2012

Glad to help

Have a good one.