Solved

certificate on ASA

Posted on 2014-10-17
12
419 Views
Last Modified: 2014-11-12
i have serious issues

I generated a cert on 2003 serveur and installed it on cisco ASA Identity certificate from a request made by ASA,
the certificate issued by the server was also installed on the CA of the ASA,
but now when i activate certificate validation on https on ASA, i get the error certificate failure and i cannot login.
Ntp was sync, and my client computer has a certificate from the CA (2003 server)
did any one get this before?

thank you
0
Comment
Question by:gazambey
  • 4
  • 4
  • 4
12 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40388612
Error where?
if it's in a browser, it should give a reason (name mismatch is a common one)
0
 
LVL 62

Expert Comment

by:btan
ID: 40388686
you will need to verify the steps
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cert_cfg.html#wp1042284

- Ensure that the hostname and domain name of the security appliance are configured correctly. You can use the show running-config command to view the hostname and domain name as currently configured.

- Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. After you have defined a trustpoint, you can reference it by name in commands requiring that you specify a CA. If a security appliance has multiple trustpoints that share the same CA, only one of these trustpoints sharing the CA can be used to validate user certificates. Use the support-user-cert-validation command to control which trustpoint sharing a CA is used for validation of user certificates issued by that CA.

- Be sure that the security appliance clock is set accurately before configuring the CA. Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.

you can also check out the step 3 and 4 to ensure the FQDN to the SAME name you entered for the CN.
http://www.petenetlive.com/KB/Article/0000694.htm
0
 

Author Comment

by:gazambey
ID: 40390691
thank you All,

Dave, the error is on the ASDM, i can see in the browser, the cert  is ok is show the number of time i connected to the ASA using the cert ''19x''.

Btan, i used the: www.petenetlive.com/KB/Article/0000694.htm
but i think if the browser is connecting with succès the issue may be some where else, let me go under more verification.

please attached pix they might help come up with an idea.

thanks
ASA.PNG
verify.PNG
0
 
LVL 62

Expert Comment

by:btan
ID: 40391111
this adsm troubleshooting guide maybe handy (can see "HTTP 404 not found (type 1)") or maybe try another browser too (which unlikely to help alot either)
https://supportforums.cisco.com/document/57701/asdm-access-troubleshooting
0
 

Author Comment

by:gazambey
ID: 40391665
Btan,
i tryed another browser, and i got cert the error:
Mismatched address,
the security certificate presented by this website was issued for a differente website's address.
this problem might indicate an attempt to foul you or intercept any data you sent to the server.

thank you
0
 
LVL 62

Expert Comment

by:btan
ID: 40391831
You are getting: "Mismatch Address" is actually because the CN that you have created for the certificate does not match to the URL that you uses to access the SSL website. Hence the mismatch. So if you check out your certificate, see what is configured under CN, and if that matches to what you use to access the URL.
https://www.sslshopper.com/ssl-certificate-name-mismatch-error.html
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 40391837
OK. You are using the java based client and having issues getting it to validate - this would be because java has its *own* keystore for CA certificates, which you can most easily manipulate using This Tool (once you have updated one, the resulting cacerts file can be pushed out to other machines as you see fit)

option you will want is
import -> Keystore's entry -> Trusted certificate -> Root CA certificate
and the default password for the root store is "changeit" :)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40392023
as btan points out, the certificate needs to be valid for the host you are connecting to, exactly as you typed (so if it has more than one name and/or an IP address, you would need a SAN cert to cover all those usage cases)
0
 

Author Comment

by:gazambey
ID: 40393800
thank you all,
let me get to the job and i will inform you soon,
BR,
0
 

Author Comment

by:gazambey
ID: 40394163
Hello All

This is what Is do . I generated the Cert using the CN as the IP adress of the ASA . This is the same i used to access this ASA.

Question Am i obliged to use a Domain Name?
And the firefox error suggest that my cert is Coming from a Not Trusted CA . I wonder if it is because I'm using an internal CA
Cert-Windows-Explorer.jpg
error-Firefox.jpg
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40394206
the FF certstore needs the internal CA cert to be inside the trusted root store else it will flagged unknown issuer (e.g. Identifies the entity that issued the certificate.). can see "Importing a Root Certificate"
https://wiki.mozilla.org/CA:UserCertDB#Importing_a_Root_Certificate

The cert8.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox. For the other specific issuer related errors, pls see below.
>"The certificate is not trusted because the issuer certificate is unknown" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-the-issuer-certificate-is-unknown
>"The certificate is not trusted because no issuer chain was provided" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-no-issuer-chain-was-provided
>"The certificate is not trusted because it is self-signed" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-it-is-self-signed

For the matching of the CN and FQDN has to be from the same domain and hostname, another means is use of wild card cert or SAN (subject alternate name) having the other domain stated (e.g. the SAN is for list of website addresses that the certificate can be used to identify). See also error.
>"Certificate is only valid for (site name)" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_certificate-is-only-valid-for-site-name
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40394308
I would try the following.

1) download and install xca (I seem to be recommending this a lot this week :)

2) create your own CA in xca - export this as a pem (cer) file with certificate only

3) create a SAN certificate in xca with both the domain name and ip address in it; set the cn to be the domain name, and export this as a pfx

4) import the CA cert into all root stores (ASA, java, firefox, chrome, whatever)

5) install the pfx onto the ASA for use with the webserver

6) test :)
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now