Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3931
Views
0
Helpful
3
Replies

Warning message - an fqdn differs from the system fqdn

TCAM
Level 1
Level 1

‎07-14-2011 02:37 PM

Need some help and expertise advise in here.  I searched the web but couldn't find much information.

Here is the case: During the process of generating the CSR on ASA, I got the following message:

WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: no

It is my understandint that ASA generated this message because my ASA hostname is different than the configured FQDN name.

Question - I am using this certificate for SSL VPN connection, will this really causing any problem? 

I tested both scenarios, (a) ASA hostname is different than FQDN, and (b) ASA hostname is the same as FQDN;

I was using anyconnect client for testing and it seems working ok in both cases,  connection is authenticated with third party CA and VPN is up and passing traffic.  I didn't notice any significant differences in both cases, anyhow the warning message concerns me and I need your inputs and comments.

In addition, just curious under what conditions or scenario, this warning message will be applied?

Anyone, please?  Thanks!

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎07-14-2011 03:30 PM

I have had a similar situation where I was generating a Certificate Signing Request and received that warning message. I responded yes, generated the CSR, received and installed the certificates and it is working fine for an ASA supporting SSL VPN.

HTH

Rick

HTH

Rick
0 Helpful

sbyrne
Level 1
Level 1
In response to Richard Burts

‎09-12-2022 05:06 AM

hello 

do you think the message below is related 

"INFO: Certificate has the following attributes:
Fingerprint: 734c86d6 00e66cb2 faf598d6 17ec9db6
Do you accept this certificate? [yes/no]: yes
WARNING: CA certificates can be used to validate VPN connections,
by default. Please adjust the validation-usage of this
trustpoint to limit the validation scope, if necessary.
% Error in saving certificate: status = FAIL
NEU-ARK-ASAPVN01(config)#

0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee

‎07-14-2011 09:54 PM

Hello,

The error you mentioned is just a  warning because the configured fqdn on the trustpoint is different from  the CN...in your case I don't think you even need that command. That  command is to include a SAN (Subject Alternative Name) on the CSR you can confirm this with one of the many CSR decoders available over the internet such as:

http://www.sslshopper.com/csr-decoder.html

Bottom  line, it will not cause any issue! that command just requests the CA to  include the configured fqdn in the SAN field of the certificate.

Regards.

0 Helpful
Customers Also Viewed These Support Documents