Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10682
Views
15
Helpful
9
Replies

Any Connect Client still warning expired cert despite new cert added

scocook
Level 1
Level 1

‎05-29-2012 12:09 PM

I'm using a Cisco Adaptive Security Appliance Software Version 8.4(2), Device Manager Version 6.4(5)206 as my VPN concentrator and recently added a new SSL cert

vpnbos01# sh crypto ca certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 0236d0

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    cn=GeoTrust Global CA

    o=GeoTrust Inc.

    c=US

  Subject Name:

    cn=GeoTrust SSL CA

    o=GeoTrust\, Inc.

    c=US

  OCSP AIA:

    URL: http://ocsp.geotrust.com

  CRL Distribution Points:

    [1]  http://crl.geotrust.com/crls/gtglobal.crl

  Validity Date:

    start date: 17:39:26 EST Feb 19 2010

    end   date: 17:39:26 EST Feb 18 2020

  Associated Trustpoints: BTCI_TrustPoint_2012

Certificate

  Status: Available

  Certificate Serial Number: 12f52c

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    ou=Equifax Secure Certificate Authority

    o=Equifax

    c=US

  Subject Name:

    cn=*.btci.com

    ou=Domain Control Validated - QuickSSL(R)

    o=BT Conferencing Inc.

    l=Quincy

    st=Massachusetts

    c=US

    serialNumber=kPCu1C/bzEUv7gNfS/lWYWrrhHqgPLPV

  CRL Distribution Points:

    [1]  http://crl.geotrust.com/crls/secureca.crl

  Validity Date:

    start date: 11:01:22 EDT May 19 2010

    end   date: 14:48:12 EDT May 21 2012

  Associated Trustpoints: BTCI_TrustPoint

vpnbos01# sh run ssl

ssl trust-point BTCI_TrustPoint_2012 outside

However, when connecting to VPN via the AnyConnect (windows) client, at connection it will pop up a window that the device has a expired cert and show the details of the 2nd cert in the config above, despite only the newer cert displaying in the sh run ssl command.  The new cert was updated via ASDM via the steps provided in http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml.  Is there something else missing from this doc or a step missed?

Labels:
0 Helpful
9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-29-2012 08:47 PM

Your SSL is pointing to "BTCI_TrustPoint_2012" trustpoint which only contains the CA Root certificate, no identity certificate.

Your other trustpoint "BTCI_TrustPoint" only contain identity certificate, however, there is no CA Root certificate associated with it. You would also need to import the CA certificate from Equifax into trustpoint BTCI_TrustPoint, and point the ssl trust-point on the outside interface to "BTCI_TrustPoint" instead.

0 Helpful

scocook
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 10:11 AM

My apologies, Jen, but i did omit some output in the sh crypto ca certificates.  Here is the complete output that may/may not contain the info you say is missing:

vpnbos01# sh crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 0236d0
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=GeoTrust Global CA
    o=GeoTrust Inc.
    c=US
  Subject Name:
    cn=GeoTrust SSL CA
    o=GeoTrust\, Inc.
    c=US
  OCSP AIA:
    URL: http://ocsp.geotrust.com
  CRL Distribution Points:
    [1]  http://crl.geotrust.com/crls/gtglobal.crl
  Validity Date:
    start date: 17:39:26 EST Feb 19 2010
    end   date: 17:39:26 EST Feb 18 2020
  Associated Trustpoints: BTCI_TrustPoint_2012

Certificate
  Status: Available
  Certificate Serial Number: 015e60
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=GeoTrust SSL CA
    o=GeoTrust\, Inc.
    c=US
  Subject Name:
    cn=*.btci.com
    ou=Domain Control Validated - QuickSSL(R)
    o=BT Conferencing Inc.
    l=Quincy
    st=Massachusetts
    c=US
    serialNumber=I9JFRa3CZd2YMGj8MQrv0KU19gn/bXyj
  CRL Distribution Points:
    [1]  http://gtssl-crl.geotrust.com/crls/gtssl.crl
  Validity Date:
    start date: 09:30:13 EDT Apr 23 2012
    end   date: 22:39:47 EDT Jun 24 2014
  Associated Trustpoints: BTCI_TrustPoint_2012

CA Certificate
  Status: Available
  Certificate Serial Number: 35def4cf
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    ou=Equifax Secure Certificate Authority
    o=Equifax
    c=US
  Subject Name:
    ou=Equifax Secure Certificate Authority
    o=Equifax
    c=US
  CRL Distribution Points:
    [1]  cn=CRL1,ou=Equifax Secure Certificate Authority,o=Equifax,c=US
  Validity Date:
    start date: 12:41:51 EDT Aug 22 1998
    end   date: 12:41:51 EDT Aug 22 2018
  Associated Trustpoints: Equifax

CA Certificate
  Status: Available
  Certificate Serial Number: 01a5
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: MD5 with RSA Encryption
  Issuer Name:
    cn=GTE CyberTrust Global Root
    ou=GTE CyberTrust Solutions\, Inc.
    o=GTE Corporation
    c=US
  Subject Name:
    cn=GTE CyberTrust Global Root
    ou=GTE CyberTrust Solutions\, Inc.
    o=GTE Corporation
    c=US
  Validity Date:
    start date: 20:29:00 EDT Aug 12 1998
    end   date: 19:59:00 EDT Aug 13 2018
  Associated Trustpoints: CA_Bundle

Certificate
  Status: Available
  Certificate Serial Number: 12f52c
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    ou=Equifax Secure Certificate Authority
    o=Equifax
    c=US
  Subject Name:
    cn=*.btci.com
    ou=Domain Control Validated - QuickSSL(R)
    o=BT Conferencing Inc.
    l=Quincy
    st=Massachusetts
    c=US
    serialNumber=kPCu1C/bzEUv7gNfS/lWYWrrhHqgPLPV
  CRL Distribution Points:
    [1]  http://crl.geotrust.com/crls/secureca.crl
  Validity Date:
    start date: 11:01:22 EDT May 19 2010
    end   date: 14:48:12 EDT May 21 2012
  Associated Trustpoints: BTCI_TrustPoint

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to scocook

‎05-30-2012 02:33 PM

You are right. The certificate chain looks correct to me too.

Can you test it from a different computer to see if differs? Or if you can advise me the URL, I can test to see if i get the same expired certificate.

0 Helpful

scocook
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 03:39 PM

The URL is uvpn1.btci.com

Thank you,

Scott Cook

Technical Services Professional

BT Conferencing

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to scocook

‎05-30-2012 06:40 PM

hmmm, i cant even connect. do you happen to use different port for ssl vpn?

0 Helpful

scocook
Level 1
Level 1
In response to Jennifer Halim

‎05-31-2012 12:45 PM

I was able to confirm one of my colleagues also gets the same error. We’re not sure what “order” of certs the ASA uses if you have more than one, but if we look in ASDM / Configuration / Device Management / Certificate Management / Identify Certificates, both are listed with the older expired one listed first. We tried to delete the one cert to see if that was the issue…but ASDM won’t let us cause it’s in use. I assume that means users are connected with it? Any other way to force it out to see if that’s the issue?

Thank you,

Scott Cook

Technical Services Professional

BT Conferencing

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to scocook

‎05-31-2012 06:07 PM

It should really use the one that you assign on the outside interface via the ssl trustpoint command which is "

BTCI_TrustPoint_2012" as per your configuration.

My suspicion is that because they use very similar name, ie: your new one just has "_2012" and maybe there is a software bug that thought they are the same --> just my suspicion.

Can you try to create a new trustpoint with completely different name and re-upload the cert again in this new trustpoint and assign it to the outside interface.

0 Helpful

Raul Ricano
Level 1
Level 1

‎09-09-2015 09:20 AM

Hope you got your issue figured out.  For me it was due to a config line forcing the old certificate.  Even though the Web URL had the correct certificate when I connected with the Anyconnect client it would show it expired.

 

I found the following key in my config was still pushing the old cert and would not even let me delete it out.

Culprit line causing me the Cert errors on the AnyConnect Client.

crypto ikev2 remote-access trustpoint Godaddy

 

Replaced with new Cert name

crypto ikev2 remote-access trustpoint AnyConnect-GoDaddy

I was then able to delete the Certificate out and the AnyConnect errors disappeared.

 

Again hopes this help or maybe someone else with this issue.

 

Raul

 

AAGEF
Level 1
Level 1
In response to Raul Ricano

‎06-10-2020 01:47 PM

Thank you SO MUCH for your post - this solved the issue on our system.

I couldn't figure out how to do this change with ASDM - does anyone have an idea?
(I also couldn't find related information in the documentation - but on the other hand: it's pretty late and I didn't spend that much time to search due to the "incident" nature of this case. ;)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents