I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
webvpn context SDM_WEBVPN_CONTEXT_1
ssl authenticate verify all
heading "Corporate Intranet"
url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
url-text "Impresora" url-value "http://192.168.10.100"
url-text "DMM" url-value "https://pc.sumkio.local:8443"
url-text "DMM 1" url-value "http://192.168.10.10:8080"
url-text "UC520" url-value "http://192.168.10.1"
policy group SDM_WEBVPN_POLICY_1
svc dns-server primary 192.168.10.250
svc dns-server secondary 220.127.116.11
aaa authentication list sdm_vpn_xauth_ml_1
Any help would be apreciatted.
you will need to create a trustpoint and import either:
- the server certificate (in this case you need 1 trustpoint per server)
- the issuer certificate (e.g. if all your servers have a cert issued by Globalsign, then import the Globalsign signing certificate)
Thanks for your answer but I don't know how doing that.
I have 3 files, one is .crt, another is .ca and the last is .prv.
All these are from the UC520.
This certificate is self-signed.
Which file should I export to the Cisco Digital Media Manager?
And how can I do that?
Or should I have to import the CA from the DMM to the Uc520?
I'm really lost
you do not need to do anything on the DMM.
On the router, you need to import the DMM server certificate OR the CA certificate of the CA that the DMM received its cert from.
Off the top of my head, you would need something like:
crypto pki trustpoint DMMCA
crypto pki authenticate DMMCA
crypto pki import ...
to import the server cert.
(check the options, don't know them by heart)
Sorry for the condensed response - hope to have more time later or next week if you need more help.
Hi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much
It sounds like you're doing the right things, the cert format looks good, so not sure why it is saying "
Error in saving certificate:". You may need to use "crypto pki import ..." instead of authenticate.
Would you mind posting the entire cert in PEM format (or send it to me privately - click on my name, then on my profile page click "send private message") ?
Can't promise a response in the next few days though.
Thanks for sending me the cert. I tried importing it and see the same problem, but when I examine the cert with openssl it seems fine - but then I noticed that it has a very long validity, until the year 2112; I think this is causing the problem.
I found this bug on ASA:
CSCsu27196 ASA should support certificates with dates after Jan 19 2038
but I believe IOS has the same problem, although I cannot immediately find a bug ID for it.
Could you try issuing a new self-signed cert on the DMM server, with a shorter validity, e.g. until 2037 ?
I have read your suggest
Is that mean we should ask the server owner to get the valid certificate for insert into cisco router 1941?
I have no idea how to get the certificate for gmail if we prefer to access this webmail service through ssl vpn.
Moreover, how can we use that cert in case the valid cert is already insert into the router, becuase the router is already using this
"#crypto pki trustpoint TP-self-signed-3430371784" for client
which command i should use that for the valid certificate?