I am tryin to generate a self signed certificate for Indentity Certificates, and keep coming up with the wrong domain name. The "Issued To" and "Issued by" both refer to the incorrect domain.
In the config, the correct domain name can be found in:
dns server-group DefaultDNS group-policy DefaultRAGroup attributes group-policy DefaultRAGroup_1 attributes
However, the incorrect domain name can not be found anywhere in the config. I have removed any and all certificates already issued. I see no configuration what so ever refering to any certificates, CA, Local-CA, trustpoints, etc..
But when I go back again to create a new self signed Identity cert, I still get the OLD domain. If I go to advanced options I can fill out the FQDN and IP. The FQDN will be ASA5510.CorrectDomain.com. But of course what will be issued is ASA5510.NOTTHECORRECTONE.com
The domain name that is showing up is one that was first used when the device arrived and I created an initial configuration just to get the device on a network to access. Since that time the original config has long since been erased with a brand new config added line by line. Yet still this ghost from the original keeps showing up. Where is it finding this?
If I run "show run all | inc icontrol.com" I get no output. If I run "show run all" and then copy over to Wordpad and run a search I get nothing in reference to old domain, but do get references for the new domain.
In the attached txt file is the results of the "show run all". The old domain name is "icontrol.com". I replaced in the text file the new domain name with "icshxxx.com", however that is the only thing that was replaced. There is no reference what so ever to icontrol.com.
Yet after running this command, seeing no reference what so ever, I decided to say what the heck and tried it again. Sure enough the self created Identity Cert created had the domain name "icontrol.com", and not "icshxxx.com". However, if you look at the ADSM it clearly shows that the Issue to and Issue by as "ASA5510.icontrol.com". But running the "sh run all cry ca trustpoint" shows nothing for Trustpoint0 in regards to the domain.
ASA5510# show run all | inc icontrol.com ASA5510# sh run all cry ca trustpoint crypto ca trustpoint ASDM_TrustPoint0 revocation-check none enrollment retry period 1 enrollment retry count 0 enrollment self no fqdn no email subject-name CN=ASA5510 no serial-number no ip-address no password keypair CA client-types ipsec ssl accept-subordinates id-cert-issuer id-usage ssl-ipsec no ignore-ipsec-keyusage no ignore-ssl-keyusage proxy-ldc-issuer crl configure policy cdp cache-time 60 enforcenextupdate protocol http protocol ldap protocol scep ASA5510#
I did clear the ASDM cache, and restarted ASDM. It still shows "ASA5510.icontrol.com" and not "ASA5510.icshrff.com". Also, if I go to the Advanced tab and enter in the FQDN, e-mail address, and IP address, it will not be applied.
Thanks for your help Loren. I have the problem solved now, the solution was to reload the OS. I shut down the ASA last night, and had the CA's removed. Loaded up the ASA today, looked at the config and there was nothing relating to certs between isakmp crypto to SSH. I then used the ASDM to add a new Identity cert and it shows up with the correct domain.
I have a 5505 that had the same problem, and I did the same steps I used with this 5510. The 5505's issue was resolved when removing the CA's, certs, and Trustpoints, but I never had to reload or restart that unit. So it did not occur to me that doing this would solve the 5510's issue. Well one less issue to worrry about
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :