anyconnect vpn client v 2.5.1025 certificate warning

fwilliams-iumg · ‎03-05-2012

I get the message "A secure connection with this site cannot be verified. Would you like to proceed? The certificate you are viewing does not match the name of the site you are trying to view. " when I open up Anyconnect client. I press yes to proceed and all is well but is there anyway to avoid this message. Thanks in advance.

Herbert Baerten · ‎03-09-2012

Hi Frank,

In theory it could mean that someone is intercepting your DNS requests and redirecting you to another SSL gateway than the one you think you connect to.

In practice it usually means that you are connecting to e.g. "vpn.mycompany.com" but the certificate on the gateway does not have that name in it's Subject or Alternate Subject fields.

So to avoid the message (and more importantly, to make sure you connect to the legitimate gateway), either connect to the name that is present in the certificate, or on the ASA replace the certificate with one that has the right name.

Let me know if you want to go in more detail.

hth

Herbert

nshoe18 · ‎09-21-2012

I am having this same issue. Would you mind going a little deeper or pointing me in the direction on getting this resolved?

Javier Portuguez · ‎09-21-2012

Hi Frank,

To do so, could you please provide the "show run ssl", "show run crypto ca trustpoint" and "show crypto ca certificate"?

Thanks.

Portu.

nshoe18 · ‎09-21-2012

The sho run ssl gave nothing back. Here are the others.

BHAddison5520# show run crypto ca trustpoint

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=BHAddison5520

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpoint thought

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment self

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

BHAddison5520# show crypto ca certificate

Certificate

Status: Available

Certificate Serial Number: 0e1a3750

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=vpn.behringerharvard.com

cn=vpn.behringerharvard.com

Subject Name:

hostname=vpn.behringerharvard.com

cn=vpn.behringerharvard.com

Validity Date:

start date: 12:31:18 CDT Sep 20 2012

end date: 12:31:18 CDT Sep 18 2022

Associated Trustpoints: ASDM_TrustPoint3

Certificate

Status: Available

Certificate Serial Number: c7f0894f

Certificate Usage: Signature

Public Key Type: RSA (1024 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=BHAddison5520.bh.com

cn=BHAddison5520

Subject Name:

hostname=BHAddison5520.bh.com

cn=BHAddison5520

Validity Date:

start date: 09:09:12 CDT Apr 17 2012

end date: 09:09:12 CDT Apr 15 2022

Associated Trustpoints: ASDM_TrustPoint0

Certificate

Subject Name:

Name: vpn.behringerharvard.com

Status: Pending terminal enrollment

Key Usage: General Purpose

Fingerprint: 270eaebd bce7a557 4f128bae b45deaa6

Associated Trustpoint: ASDM_TrustPoint1

BHAddison5520#

Javier Portuguez · ‎09-21-2012

Hi,

Please add the following command:

ssl trustpoint ASDM_TrustPoint3 outside

Test again and let me know.

Thanks.

nshoe18 · ‎09-21-2012

It didnot like the Trustpoint3. It looks like the CN for the cert being sent by the ASA is for the IP of the ASA not the name.

nshoe18 · ‎09-21-2012

I am not sure if someone changed something since the last time I posted but here is the sh run outpits again

BHAddison5520# sh run ssl

ssl trust-point ASDM_TrustPoint1 outside

BHAddison5520# sh run crypto ca trustpoint

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=BHAddison5520

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpoint thought

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

BHAddison5520#

BHAddison5520# sh crypto ca certificate

Certificate

Status: Available

Certificate Serial Number: c7f0894f

Certificate Usage: Signature

Public Key Type: RSA (1024 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=BHAddison5520.bh.com

cn=BHAddison5520

Subject Name:

hostname=BHAddison5520.bh.com

cn=BHAddison5520

Validity Date:

start date: 09:09:12 CDT Apr 17 2012

end date: 09:09:12 CDT Apr 15 2022

Associated Trustpoints: ASDM_TrustPoint0

Certificate

Subject Name:

Name: vpn.behringerharvard.com

Status: Pending terminal enrollment

Key Usage: General Purpose

Fingerprint: 270eaebd bce7a557 4f128bae b45deaa6

Associated Trustpoint: ASDM_TrustPoint1

BHAddison5520#

Javier Portuguez · ‎09-21-2012

It looks like the ssl trustpoint got stuck.

Could you please remove the "ssl trust-point ASDM_TrustPoint1 outside" command?

Is there any chance to reload the ASA?

Thanks.

nshoe18 · ‎09-24-2012

We will not be able to reload, this is a high-production system. I will take out the trustpoint and see what we get.

nshoe18 · ‎09-24-2012

That did not work. When I look at the certificate being sent from the ASA it has the Internal IP Address of the ASA not the name. I also see this when I look at the certificate,

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

Javier Portuguez · ‎09-24-2012

Hi,

It looks like the old certificate got stuck, that is the reason why I suggested the reboot.

So, you did not reboot it?

Thanks.

Herbert Baerten · ‎09-24-2012

FWIW I agree that "ssl trustpoint ASDM_TrustPoint3 outside" should solve this problem.

When you say it did not like that, what do you mean exactly? Did you get an error?

Assuming trustpoint1 is not used, can you try to remove it altogether?

As for the untrusted root error - you will either have to get a "public" certififcate from a trusted 3rd party CA (Verisign, Godaddy, etc.) OR you will need to import the ASA's self signed certificate into the trusted root store on each client.

hth

Herbert

nshoe18 · ‎09-24-2012

OK, I am starting over here. I have got the Trustpoint3 setup properly it looks like. Here is the output from the show commands again.

BHAddison5520# sh run ssl

ssl trust-point ASDM_TrustPoint3 outside

BHAddison5520# sh run crypto ca trustpoint

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=BHAddison5520

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpoint thought

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment self

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com

keypair vpn

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint5

enrollment terminal

subject-name CN=vpn.behringerharvard.com,O=Behringer Harvard Holdings LLC,C=US

keypair vpn

crl configure

BHAddison5520# sh crypto certifi

BHAddison5520# sh crypto ca cert

BHAddison5520# sh crypto ca certificates

Certificate

Status: Available

Certificate Serial Number: 0f1a3750

Certificate Usage: Signature

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=vpn.behringerharvard.com

cn=vpn.behringerharvard.com

Subject Name:

hostname=vpn.behringerharvard.com

cn=vpn.behringerharvard.com

Validity Date:

start date: 10:13:08 CDT Sep 24 2012

end date: 10:13:08 CDT Sep 22 2022

Associated Trustpoints: ASDM_TrustPoint3

Certificate

Status: Available

Certificate Serial Number: c7f0894f

Certificate Usage: Signature

Public Key Type: RSA (1024 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=BHAddison5520.bh.com

cn=BHAddison5520

Subject Name:

hostname=BHAddison5520.bh.com

cn=BHAddison5520

Validity Date:

start date: 09:09:12 CDT Apr 17 2012

end date: 09:09:12 CDT Apr 15 2022

Associated Trustpoints: ASDM_TrustPoint0

Certificate

Subject Name:

Name: vpn.behringerharvard.com

Status: Pending terminal enrollment

Key Usage: General Purpose

Fingerprint: 270eaebd bce7a557 4f128bae b45deaa6

Associated Trustpoint: ASDM_TrustPoint1

Certificate

Subject Name:

Name: BHAddison5520.bh.com

Status: Pending terminal enrollment

Key Usage: General Purpose

Fingerprint: eb5145d7 082ce963 011d7547 79adbbee

Associated Trustpoint: ASDM_TrustPoint5

When I connect the certficate that is being served to the clients has the outside IP on it for the CN, instead of the one I have issued for the name vpn.behringerharvard.com.

Javier Portuguez · ‎09-24-2012

Hi,

Please do the following:

1- no ssl trustpoint ASDM_TrustPoint3 outside

2- webvpn

no enable outside

exit

3- ssl trustpoint ASDM_TrustPoint3 outside

4- webpvn

enable outside

Let me know.

Thanks.

Portu.