Due to our environment, I had to create an isolated Stand-Alone Root Ca server on MS Win 2003 to issues certificates to the ASA and Win XP clients (I know XP is dead but this is our requirement – for now). The internal DNS server is functional as-well-as external DNS server.
On the ASA, I generate the certificate, create the Trustpoint, configure the subject, fqdn, enrollment url to the MS Win Ca root server. I then authenticate this trustpoint and verify the fingerprint is correct. I enroll the trustpoint, request certificate and short time later the cert is granted. Everything seems good!
On my Win XP (Service Pack 2) pc, I use I.E. version 8 to web into the root ca server request page to request a browser certificate, shortly later certificate is granted and installed. Then I request the root ca certificate and again is granted and installed.
Now I https into the ASA on the inside interface and receive a certificate error message.
I check the browser certificate error message and it reveals the certificate is an "ASA Temporary Self Signed Certificate". If I also install this ASA Temporary Self Signed Certificate into my browser store and reload my browser, same certificate error message. I also do not see this certificate listed in any stores.
THANK YOU SO MUCH for the link; ........ as I am struggling here - I followed the steps .... No change.
It did take a while to timeout, but after I changed the ssl certificate-authentication fca-timeout from 5 to 1, fixed the slowness issue.
So I followed the steps to also include the outside interface for SSL certs.
... Now, I'm able to connect on the outside interface https://til.ddt.org. I don't get a browser certificate error until I choose to load ASDM from the browser page. When ASDM starts to load, a certificate error pops up, the cert error indicates it cannot verify Cisco Systems Inc. (VeriSign Class 3 Code Signing 2010 CA).
I downloaded the VeriSign cert and installed in the trusted store on the PC.
VeriSign Class 3 Public Primary Certification Authority - G5; Expiration date: 7/16/2036
When I originated generated the certs for this ASA, I used the outside fqdn interface and all the certs reference this DNS resolvable name. When I try to connect to the ASA on the internal interface -as most folks will - I get the cert error.
The inside ip address is 192.168.1.1 while
the outside interface is 192.168.240.1.
The til.ddt.org resolves via DNS on inside and outside.
In your opinion, what do you think I did or are doing incorrectly - I am a Cisco Router/Switch/Security network guy not a Windows/PKI guy. :)
It was really easy to get this operational once I did all the wrong things first. Once the incorrect options were out of the way, only the correct options were left and it was very clear to see the final path. LOL
My biggest hurdle was creating the entire environment:
For this isolated no-public access or Internet access project I had the opportunity to learn VMware 5.1, create VMs for all the different operating systems needed to support the environments, Learned that cloning a working VM saves enormous amounts of installation time for the next vm (from several hours of installation time down to several minutes), Learned Data Stores make installation really fly. Learned MS Windows Enterprise server, learned MS Win DNS installation and configuration for Internal and external domains; Thank GOD for WireShark!!!!!!! Learned Microsoft's implementation of PKI and how it relates and interoperates with other vendors. Learned how Internet Explorer, Chrome and Firefox with reference to Certificates and security works and also how it does not work :). Learned NTP (the differences of GMT and UTC and where and how to use each) and how Cisco routers CAN provide time to Microsoft clients directly and best of all and absolutely the toughest technology I have ever tackled........PKI in a mixed vendor environment. There is a lot more but I'm tried of typing. LOL
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...