07-14-2011 02:37 PM
Need some help and expertise advise in here. I searched the web but couldn't find much information.
Here is the case: During the process of generating the CSR on ASA, I got the following message:
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: no
It is my understandint that ASA generated this message because my ASA hostname is different than the configured FQDN name.
Question - I am using this certificate for SSL VPN connection, will this really causing any problem?
I tested both scenarios, (a) ASA hostname is different than FQDN, and (b) ASA hostname is the same as FQDN;
I was using anyconnect client for testing and it seems working ok in both cases, connection is authenticated with third party CA and VPN is up and passing traffic. I didn't notice any significant differences in both cases, anyhow the warning message concerns me and I need your inputs and comments.
In addition, just curious under what conditions or scenario, this warning message will be applied?
Anyone, please? Thanks!
07-14-2011 03:30 PM
I have had a similar situation where I was generating a Certificate Signing Request and received that warning message. I responded yes, generated the CSR, received and installed the certificates and it is working fine for an ASA supporting SSL VPN.
HTH
Rick
09-12-2022 05:06 AM
hello
do you think the message below is related
"INFO: Certificate has the following attributes:
Fingerprint: 734c86d6 00e66cb2 faf598d6 17ec9db6
Do you accept this certificate? [yes/no]: yes
WARNING: CA certificates can be used to validate VPN connections,
by default. Please adjust the validation-usage of this
trustpoint to limit the validation scope, if necessary.
% Error in saving certificate: status = FAIL
NEU-ARK-ASAPVN01(config)#
07-14-2011 09:54 PM
Hello,
The error you mentioned is just a warning because the configured fqdn on the trustpoint is different from the CN...in your case I don't think you even need that command. That command is to include a SAN (Subject Alternative Name) on the CSR you can confirm this with one of the many CSR decoders available over the internet such as:
http://www.sslshopper.com/csr-decoder.html
Bottom line, it will not cause any issue! that command just requests the CA to include the configured fqdn in the SAN field of the certificate.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide