Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Any Connect Client still warning expired cert despite new cert added

I'm using a Cisco Adaptive Security Appliance Software Version 8.4(2), Device Manager Version 6.4(5)206 as my VPN concentrator and recently added a new SSL cert

vpnbos01# sh crypto ca certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 0236d0

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    cn=GeoTrust Global CA

    o=GeoTrust Inc.

    c=US

  Subject Name:

    cn=GeoTrust SSL CA

    o=GeoTrust\, Inc.

    c=US

  OCSP AIA:

    URL: http://ocsp.geotrust.com

  CRL Distribution Points:

    [1]  http://crl.geotrust.com/crls/gtglobal.crl

  Validity Date:

    start date: 17:39:26 EST Feb 19 2010

    end   date: 17:39:26 EST Feb 18 2020

  Associated Trustpoints: BTCI_TrustPoint_2012

Certificate

  Status: Available

  Certificate Serial Number: 12f52c

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    ou=Equifax Secure Certificate Authority

    o=Equifax

    c=US

  Subject Name:

    cn=*.btci.com

    ou=Domain Control Validated - QuickSSL(R)

    o=BT Conferencing Inc.

    l=Quincy

    st=Massachusetts

    c=US

    serialNumber=kPCu1C/bzEUv7gNfS/lWYWrrhHqgPLPV

  CRL Distribution Points:

    [1]  http://crl.geotrust.com/crls/secureca.crl

  Validity Date:

    start date: 11:01:22 EDT May 19 2010

    end   date: 14:48:12 EDT May 21 2012

  Associated Trustpoints: BTCI_TrustPoint

vpnbos01# sh run ssl

ssl trust-point BTCI_TrustPoint_2012 outside

However, when connecting to VPN via the AnyConnect (windows) client, at connection it will pop up a window that the device has a expired cert and show the details of the 2nd cert in the config above, despite only the newer cert displaying in the sh run ssl command.  The new cert was updated via ASDM via the steps provided in http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml.  Is there something else missing from this doc or a step missed?

8 REPLIES
Cisco Employee

Any Connect Client still warning expired cert despite new cert a

Your SSL is pointing to "BTCI_TrustPoint_2012" trustpoint which only contains the CA Root certificate, no identity certificate.

Your other trustpoint "BTCI_TrustPoint" only contain identity certificate, however, there is no CA Root certificate associated with it. You would also need to import the CA certificate from Equifax into trustpoint BTCI_TrustPoint, and point the ssl trust-point on the outside interface to "BTCI_TrustPoint" instead.

New Member

Any Connect Client still warning expired cert despite new cert a

My apologies, Jen, but i did omit some output in the sh crypto ca certificates.  Here is the complete output that may/may not contain the info you say is missing:

vpnbos01# sh crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 0236d0
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=GeoTrust Global CA
    o=GeoTrust Inc.
    c=US
  Subject Name:
    cn=GeoTrust SSL CA
    o=GeoTrust\, Inc.
    c=US
  OCSP AIA:
    URL: http://ocsp.geotrust.com
  CRL Distribution Points:
    [1]  http://crl.geotrust.com/crls/gtglobal.crl
  Validity Date:
    start date: 17:39:26 EST Feb 19 2010
    end   date: 17:39:26 EST Feb 18 2020
  Associated Trustpoints: BTCI_TrustPoint_2012

Certificate
  Status: Available
  Certificate Serial Number: 015e60
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=GeoTrust SSL CA
    o=GeoTrust\, Inc.
    c=US
  Subject Name:
    cn=*.btci.com
    ou=Domain Control Validated - QuickSSL(R)
    o=BT Conferencing Inc.
    l=Quincy
    st=Massachusetts
    c=US
    serialNumber=I9JFRa3CZd2YMGj8MQrv0KU19gn/bXyj
  CRL Distribution Points:
    [1]  http://gtssl-crl.geotrust.com/crls/gtssl.crl
  Validity Date:
    start date: 09:30:13 EDT Apr 23 2012
    end   date: 22:39:47 EDT Jun 24 2014
  Associated Trustpoints: BTCI_TrustPoint_2012

CA Certificate
  Status: Available
  Certificate Serial Number: 35def4cf
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    ou=Equifax Secure Certificate Authority
    o=Equifax
    c=US
  Subject Name:
    ou=Equifax Secure Certificate Authority
    o=Equifax
    c=US
  CRL Distribution Points:
    [1]  cn=CRL1,ou=Equifax Secure Certificate Authority,o=Equifax,c=US
  Validity Date:
    start date: 12:41:51 EDT Aug 22 1998
    end   date: 12:41:51 EDT Aug 22 2018
  Associated Trustpoints: Equifax

CA Certificate
  Status: Available
  Certificate Serial Number: 01a5
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: MD5 with RSA Encryption
  Issuer Name:
    cn=GTE CyberTrust Global Root
    ou=GTE CyberTrust Solutions\, Inc.
    o=GTE Corporation
    c=US
  Subject Name:
    cn=GTE CyberTrust Global Root
    ou=GTE CyberTrust Solutions\, Inc.
    o=GTE Corporation
    c=US
  Validity Date:
    start date: 20:29:00 EDT Aug 12 1998
    end   date: 19:59:00 EDT Aug 13 2018
  Associated Trustpoints: CA_Bundle

Certificate
  Status: Available
  Certificate Serial Number: 12f52c
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    ou=Equifax Secure Certificate Authority
    o=Equifax
    c=US
  Subject Name:
    cn=*.btci.com
    ou=Domain Control Validated - QuickSSL(R)
    o=BT Conferencing Inc.
    l=Quincy
    st=Massachusetts
    c=US
    serialNumber=kPCu1C/bzEUv7gNfS/lWYWrrhHqgPLPV
  CRL Distribution Points:
    [1]  http://crl.geotrust.com/crls/secureca.crl
  Validity Date:
    start date: 11:01:22 EDT May 19 2010
    end   date: 14:48:12 EDT May 21 2012
  Associated Trustpoints: BTCI_TrustPoint

Cisco Employee

Any Connect Client still warning expired cert despite new cert a

You are right. The certificate chain looks correct to me too.

Can you test it from a different computer to see if differs? Or if you can advise me the URL, I can test to see if i get the same expired certificate.

New Member

Re: Any Connect Client still warning expired cert despite new ce

The URL is uvpn1.btci.com

Thank you,

Scott Cook

Technical Services Professional

BT Conferencing

Cisco Employee

Re: Any Connect Client still warning expired cert despite new ce

hmmm, i cant even connect. do you happen to use different port for ssl vpn?

New Member

Re: Any Connect Client still warning expired cert despite new ce

I was able to confirm one of my colleagues also gets the same error. We’re not sure what “order” of certs the ASA uses if you have more than one, but if we look in ASDM / Configuration / Device Management / Certificate Management / Identify Certificates, both are listed with the older expired one listed first. We tried to delete the one cert to see if that was the issue…but ASDM won’t let us cause it’s in use. I assume that means users are connected with it? Any other way to force it out to see if that’s the issue?

Thank you,

Scott Cook

Technical Services Professional

BT Conferencing

Cisco Employee

Re: Any Connect Client still warning expired cert despite new ce

It should really use the one that you assign on the outside interface via the ssl trustpoint command which is "

BTCI_TrustPoint_2012" as per your configuration.

My suspicion is that because they use very similar name, ie: your new one just has "_2012" and maybe there is a software bug that thought they are the same --> just my suspicion.

Can you try to create a new trustpoint with completely different name and re-upload the cert again in this new trustpoint and assign it to the outside interface.

New Member

Hope you got your issue

Hope you got your issue figured out.  For me it was due to a config line forcing the old certificate.  Even though the Web URL had the correct certificate when I connected with the Anyconnect client it would show it expired.

 

I found the following key in my config was still pushing the old cert and would not even let me delete it out.

Culprit line causing me the Cert errors on the AnyConnect Client.

crypto ikev2 remote-access trustpoint Godaddy

 

Replaced with new Cert name

crypto ikev2 remote-access trustpoint AnyConnect-GoDaddy

I was then able to delete the Certificate out and the AnyConnect errors disappeared.

 

Again hopes this help or maybe someone else with this issue.

 

Raul

 

4081
Views
5
Helpful
8
Replies
CreatePlease login to create content