Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bronze

ASA ASDM certificate error

ASA 5505 IOS 9.2(2)

ASDM 7.2(2)

Due to our environment, I had to create an isolated Stand-Alone Root Ca server on MS Win 2003 to issues certificates to the ASA and Win XP clients (I know XP is dead but this is our requirement – for now). The internal DNS server is functional as-well-as external DNS server.

On the ASA, I generate the certificate, create the Trustpoint, configure the subject, fqdn, enrollment url to the MS Win Ca root server. I then authenticate this trustpoint and verify the fingerprint is correct. I enroll the trustpoint, request certificate and short time later the cert is granted. Everything seems good!

On my Win XP (Service Pack 2) pc, I use I.E. version 8 to web into the root ca server request page to request a browser certificate, shortly later certificate is granted and installed. Then I request the root ca certificate and again is granted and installed.

Now I https into the ASA on the inside interface and receive a certificate error message.

I check the browser certificate error message and it reveals the certificate is an "ASA Temporary Self Signed Certificate". If I also install this ASA Temporary Self Signed Certificate into my browser store and reload my browser, same certificate error message. I also do not see this certificate listed in any stores.

 

Any ideas?

Thank you

Frank

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

You need to bind the

You need to bind the installed CA-signed and installed certificate to the ASA's interface(s).

See, for example, Step 11 here.

7 REPLIES

Hi,Did you try with anu other

Hi,

Did you try with any other browser?

Regards,

Aref

Bronze

Yes, I tried Internet

Yes, I tried Internet Explorer as-well-as Chrome. Same issue with both.

I should also say, I enabled the http authentication-certificate inside option.

Once I receive the cert error and ignore it, ASDM still loads with both browsers

Thanks

Frank

If you can, please post

If you can, please post/attach your ASA sanitized configuration file for review. That would be also a java version issue.

Regards,

Aref

Hall of Fame Super Silver

You need to bind the

You need to bind the installed CA-signed and installed certificate to the ASA's interface(s).

See, for example, Step 11 here.

Bronze

Hi Marvin,THANK YOU SO MUCH

Hi Marvin,

 

UPDATED 11:45am

 

THANK YOU SO MUCH for the link; ........ as I am struggling here - I followed the steps .... No change.

It did take a while to timeout, but after I changed the ssl certificate-authentication fca-timeout from 5 to 1, fixed the slowness issue.

 

So I followed the steps to also include the outside interface for SSL certs.

... Now, I'm able to connect on the outside interface https://til.ddt.org. I don't get a browser certificate error until I choose to load ASDM from the browser page. When ASDM starts to load, a certificate error pops up, the cert error indicates it cannot verify Cisco Systems Inc. (VeriSign Class 3 Code Signing 2010 CA).

I downloaded the VeriSign cert and installed in the trusted store on the PC.

VeriSign Class 3 Public Primary Certification Authority - G5; Expiration date: 7/16/2036

 

 

BACKGROUND:

When I originated generated the certs for this ASA, I used the outside fqdn interface and all the certs reference this DNS resolvable name. When I try to connect to the ASA on the internal interface -as most folks will - I get the cert error.

The inside ip address is 192.168.1.1 while

the outside interface is 192.168.240.1.

The til.ddt.org resolves via DNS on inside and outside.

 

In your opinion, what do you think I did or are doing incorrectly - I am a Cisco Router/Switch/Security network guy not a Windows/PKI guy. :)

THANK YOU AGAIN

Frank

Bronze

Hey folks, I have it figured

Hey folks, I have it figured out.

It was really easy to get this operational once I did all the wrong things first. Once the incorrect options were out of the way, only the correct options were left and it was very clear to see the final path. LOL

 

My biggest hurdle was creating the entire environment:

For this isolated no-public access or Internet access project I had the opportunity to learn VMware 5.1, create VMs for all the different operating systems needed to support the environments, Learned that cloning a working VM saves enormous amounts of installation time for the next vm (from several hours of installation time down to several minutes), Learned Data Stores make installation really fly. Learned MS Windows Enterprise server, learned MS Win DNS installation and configuration for Internal and external domains; Thank GOD for WireShark!!!!!!! Learned Microsoft's implementation of PKI and how it relates and interoperates with other vendors. Learned how Internet Explorer, Chrome and Firefox with reference to Certificates and security works and also how it does not work :). Learned NTP (the differences of GMT and UTC and where and how to use each) and how Cisco routers CAN provide time to Microsoft clients directly and best of all and absolutely the toughest technology I have ever tackled........PKI in a mixed vendor environment. There is a lot more but I'm tried of typing. LOL

 

Ok, so what's the next task!!!!!!

Thanks again

Frank

 

Hall of Fame Super Silver

Happy to hear you're up and

Happy to hear you're up and running.

Please rate any helpful answers that aided you in getting there.

2188
Views
0
Helpful
7
Replies
CreatePlease to create content