Avoiding the "There is a problem with this website's security certificate" browser warning when establishing a VPN connection to a 1941ISR using SSLVPN

Answered Question
Mar 3rd, 2011
User Badges:

I recently configured and installed a 1941ISR for a customer. The customer purchased a 25-User SSLVPN license with the router, and I configured it for remote SSLVPN access. This is working nicely except for one issue: when users initiate an SSLVPN connection request by browsing to the assigned webvpn gateway IP, they get the "There is a problem with this website's security certificate" browser message. They are in the process of working with their DNS hosting provider to get a DNS entry assigned to the IP address so the users won't have to specify an IP address in the URL address box, but they will continue to get the certificate error until/unless I can figure out how to resolve the issue.


I've tried the following "How to make IE8 trust a self-signed certificate in 20 irritating steps" that I found via another forum link but with no luck:


1.Browse to the site whose certificate you want to trust.

2.When told "There is a problem with this website's security certificate.", choose "Continue to this website (not recommended)."

3.Select Tools->Internet Options.

4.Select Security->Trusted sites->Sites.

5.Confirm the URL matches, and click "Add" then "Close".

6.Close the "Internet Options" dialog box with either "OK" or "Cancel".

7.Refresh the current page.

8.When told "There is a problem with this website's security certificate.", choose "Continue to this website (not recommended)."

9.Click on "Certificate Error" at the right of the address bar and select "View certificates".

10.Click on "Install Certificate...", then in the wizard, click "Next".

11.On the next page select "Place all certificates in the following store".

12.Click "Browse", select "Trusted Root Certification Authorities", and click "OK".

13.Back in the wizard, click "Next", the "Finish".

14.If you get a "Security Warning" message box, click "Yes".

15.Dismiss the message box with "OK".

16.Select Tools->Internet Options.

17.Select Security->Trusted sites->Sites.

18.Select the URL you just added, click "Remove", then "Close".

19.Now shut down all running instances of IE, and start up IE again.

20.The site's certificate should now be trusted.

I followed all 20 irritating steps to the letter, but am still getting the security certificate nag… Now when I “Continue to this website (not recommended)” and click on "Certificate Error" at the right of the address bar, the certificate error windows says “Mismatched Address”.

Is there a way that I can get this fixed without resorting to a 3rd party CA?



Correct Answer by Jennifer Halim about 6 years 1 month ago

Here is the steps to generate a new self signed certificate with the correct name:


1) Generate rsa key pair and name it:

crypto key generate rsa label sslkey modulus 1024


2) Create the trustpoint and configure the attributes:

crypto pki trustpoint TP-SSLVPN

     enrollment selfsigned

     subject-name cn=74.4.29.86

     rsakeypair sslkey


3) Generate the self signed certificate for the above created trustpoint:

crypto pki enroll TP-SSLVPN


4) Once the self signed certificate has been created, double check that you are happy with the certificate: show crypto pki certificates


5) Once you are happy, then assign the newly created trustpoint to your SSL VPN configuration.


Hope this helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 03/04/2011 - 23:44
User Badges:
  • Cisco Employee,

The step is correct to install the self signed certificate into the browser/pc Trusted Root Certification Authorities store.


The second error that you are getting: "Mismatch Address" is actually because the CN that you have created for the certificate does not match to the URL that you uses to access the SSL VPN. Hence the mismatch.


So if you check out your certificate, see what is configured under CN, and if that matches to what you use to access the URL.

If you access the URL using ip address, then when you create the self signed certificate on the router, you would also need to create the CN=.

If you access the URL using dns (eg: sslvpn.domain.com), then the self signed certificate needs to be created with CN=sslvpn.domain.com


Hope that helps.

rtoomey Sat, 03/05/2011 - 07:35
User Badges:

Hi, Jennifer...


Thanks so much for the reply. You are correct: the CN in the certificate doesn't appear to match the URL I use to access the 1941ISR's Web VPN Gateway (currently an IP address).


I've attached three screen snapshot PDFs:


ScreenShot1.pdf is what I see when I click on the "Continue to this website (not recommended)" link.

ScreenShot2.pdf is what I see when I click on the Certificate Error button in ScreenShot1.

ScreenShot3.pdf show the Details tab from the certificate. I've highlighted one of the two references to the CN field ("Issuer"), but the "Subject" field also shows a "CN=". In both instances, the CN = IOS-Self-Signed-Certificate-1858155841 rather than what I think you're saying I should see, i.e., CN = 74.4.29.86.


If I'm understanding all of this correctly, how doI regenerate the certificate to get it to match what I'm keying in the URL box in the browser? I suspect I'll need to go through whatever this procedure is again once we get a DNS name assigned to the public IP address.


Thanks again for your help.

Attachment: 
Correct Answer
Jennifer Halim Sat, 03/05/2011 - 16:59
User Badges:
  • Cisco Employee,

Here is the steps to generate a new self signed certificate with the correct name:


1) Generate rsa key pair and name it:

crypto key generate rsa label sslkey modulus 1024


2) Create the trustpoint and configure the attributes:

crypto pki trustpoint TP-SSLVPN

     enrollment selfsigned

     subject-name cn=74.4.29.86

     rsakeypair sslkey


3) Generate the self signed certificate for the above created trustpoint:

crypto pki enroll TP-SSLVPN


4) Once the self signed certificate has been created, double check that you are happy with the certificate: show crypto pki certificates


5) Once you are happy, then assign the newly created trustpoint to your SSL VPN configuration.


Hope this helps.

rtoomey Mon, 03/07/2011 - 04:58
User Badges:

Jennifer,


MANY thanks for your help... I followed your instructions, and my problem is resolved. Thanks again!!

rtoomey Fri, 04/08/2011 - 09:44
User Badges:

Hi, again Jennifer... Just a follow-up to the issue you helped me to resolve back in early March. The customer called me with a question I haven't been able to answer...


Back in March, when I followed your suggestions and generated a new self signed certificate with the correct name, from that point on, the customer could browse to 74.4.29.86 and not get the certificate error warning. However, early this month he got his domain name hosting service (Yahoo Domains) to create a domain name entry for 74.4.29.86: remote.tsfhs.org. He informed me that he had done this, and I updated the TP-SSLVPN trustpoint to reflect the new CN= value, like so:


crypto pki trustpoint TP-SSLVPN
enrollment selfsigned
subject-name cn=remote.tsfhs.org
revocation-check crl
rsakeypair sslkey


Assuming that I would have to regenerate the self-signed certificate with the updated CN value for the trustpoint, I ran the

"crypto pki enroll TP-SSLVPN" command sequence.


However, now when the customer browses to remote.tsfhs.org (on a new PC that has never been connected to the SSL web vpn gateway), the certficate error doesn't occur. But when the AnyConnect client is subsequently downloaded for the first time, instead of "remote.tsfhs.org" appearing in the "Connect to:" box, it's 74.4.29.86. Supplying a Username & password at this point connects successfully with no errors. However, what the IT manager WANTED to see in the "Connect to:" box is "remote.tsfhs.org". Keying this (instead of 74.4.29.86) and supplying a correct Username & password generates a certificate error. The connection attempt is successful, but the customer wants to be able to direct his users to always enter the DNS name (rather than the IP address) in the AnyConnect "Connect to:" box, and he wants that to be the default, i.e., after a first-time connection is successfully made via Internet Explorer and the client is downloaded for the first time, he wants to see "remote.tsfhs.org" appear in the "Connect to:" box rather than the IP address. How can I correct this issue?

Actions

This Discussion

Related Content