Third party Certificate for SSL VPN

pemasirid · ‎07-31-2011

Hi,

We have already Thwarte certificate installed and it shows as valid when I give show crypto ca certificate. However when we try connecting AnyConnect VPN, we got warning that ASA certificate issued by Thwarte is expired..

My questions are

1) why does the certificate shows here as expired instead I can see both certificates are valid in the firewall.

2) can I re-install the install 3rd party certificate at this time and what is the procedure..?

3) if I remove trustpoint in the ASA (no crypto ca trustpont xxxx) do we need to revoke the certificate from the certificate vendor?

4) if I not save the configuraiton, can I rollback my removal of trustpoint and get the previous state (with showing two ceritifcates as valid)

Attached file contains

1) certificate error seen when trying to login to SSL VPN

2) available certificate before and after removal of trustpoint in the ASA

3) configuraiton for re-install 3rd party certificate and its error.

Herbert Baerten · ‎08-07-2011

Hi,

first of all, note that the certificate expiry error is not about your certificate, but about a certificate issued to Cisco Systems (also issued by Thawte, but by a different sub-CA since this is a code signing certificate).

The certificate that you get the error for is the one that the Java applets on the ASA are signed with by default, so I assume you get this error not when you initially connect to the ASA, but later in the connection process when you try to download the client (or when you use any other Java applet from the ASA).

To resolve the error, check this:

hth

Herbert