7. If you see messages like those above, there is an issue with the certificate used for SSLVPN.
Delete and Rebuild Trustpoint
1. Check webvpn configuration to see which trustpoint is being used:
UC540#sh run | se webvpn webvpn gateway SDM_WEBVPN_GATEWAY_1 ip address 172.16.1.10 port 443 ssl trustpoint TP-self-signed-908968563 inservice
2. Check configuration of the trustpoint. Please note the trustpoint name as we will use that in the future.
UC540#sh run | se trustpoint TP-self-signed-908968563 crypto pki trustpoint TP-self-signed-908968563 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-908968563 revocation-check none
3. Verify RSA keypairs exist for that trustpoint.
UC_540#sh cry key mypubkey rsa TP-self-signed-908968563 % Key pair was generated at: 04:22:18 EST Feb 7 2011 Key name: TP-self-signed-908968563 Key type: RSA KEYS Storage Device: private-config Usage: General Purpose Key Key is not exportable. Key Data: (redacted)
4. Delete the trustpoint.
UC540#conf t Enter configuration commands, one per line. End with CNTL/Z. UC540(config)#no crypto pki trustpoint TP-self-signed-908968563 % Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority. Are you sure you want to do this? [yes/no]: yes % Be sure to ask the CA administrator to revoke your certificates.
5. Recreate the trustpoint using the previous configuration and adding the 'rsakeypair' command. Typically, we've seeing the 'rsakeypair' command missing, so we want to add it back. Note: When creating the trustpoint, it's easiest to use the same trustpoint name as was previously configured so you don't have to go back and check where it's referenced.
6. Enroll the trustpoint to generate a new certificate.
UC540(config)#crypto pki enroll TP-self-signed-908968563 % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
7. Verify the certificate is created.
UC540#show crypto pki cert TP-self-signed-908968563 Router Self-Signed Certificate Status: Available Certificate Serial Number (hex): 02 Certificate Usage: General Purpose Issuer: hostname=UC540 cn=IOS-Self-Signed-Certificate-908968563 Subject: Name: UC540 hostname=UC540 cn=IOS-Self-Signed-Certificate-908968563 Validity Date: start date: 09:49:03 PST Oct 3 2011 end date: 16:00:00 PST Dec 31 2019 Associated Trustpoints: TP-self-signed-908968563
8. Test and verify you can browse to the UC500 webvpn portal.
9. If you now see the portal page, then check to verify if your phone can now connect.