Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Security Warning for ASA SSL VPN using Wildcard Certificate

Greetings,

 

Setting up WebVPN for ASA5515X. Everything works as designed except I am getting security warnings when initiating connection. Something to the effect of:

Untrsted VPN Server Blocked

I use a Netsol issued Wildcard Certificate. It been imported with the keys and the cert chain. Seems when I connect to the ASA using SSL VPN I have to connect using the hostname and domain name configured on the ASA for it to not throw security warnings. Is there some way to tell the ASA to match using something other than the configured local hostname and domain so I can stop these warnings? Thanks in advance.

3 REPLIES
Hall of Fame Super Silver

If you use anything other

If you use anything other than the FQDN* configured in the certificate (which should match that of the ASA) you will get the browser and/or Anyconnect warning. You can click past the warning in the web interafce or tell AnyConnect via its preferences settings to not "Block Connections to Untrusted Servers" (generally not recommended) and still connect though either seems a bit silly if you've gone to the trouble to purchase and install a certificate.

 

*Technically your certificate isn't "fully" qualified with the wildcard but the non-woldcarded bits must match.

New Member

Thanks for the reply. I

Thanks for the reply. I understand normally you would want have the hostnames match to get the cert warning to go away. What I was wondering is if you could tell the ASA to use something other than the hostname for matching. My devices hostnames are based on function/location etc. I don't really want to give that away to users by having them connect to some cab01-asa-10.domain.com URL. I would prefer to not change the hostname either to match the URL I give users just to support this functionality. The wildcard cert works if I set up local host entries on my machine for the hostname of the device so I know changing the hostname will fix the issue. Would like to avoid that if possible.

 

Does anyone know if I change the hostname do I need to do anything with the cert/trustpoint already configured to get it to work? Maybe reload the cert for use with the new hostname? Thanks again for the reply.

Hall of Fame Super Silver

Hmm, I'm not positive but I

Hmm, I'm not positive but I see what you're asking.

If I understand correctly how the certificates work, it's actually the "cn" (common name) value on the certificate that's be compared to the FQDN the client browsed to. Usually the cn is the same as the device hostname. It doesn't have to be though. cn could be the user-friendly name and hostname could be the name useful to the IT team.

Since your certificate cn is * (wildcard), it seems to me if your DNS record (or local hosts file) maps cn.yourcompany.com to your ASAs outside address and the ASA has the certificate *.yourcompany.com installed it might work OK. It's worth a try.

798
Views
0
Helpful
3
Replies