certificate on ASA

i have serious issues

I generated a cert on 2003 serveur and installed it on cisco ASA Identity certificate from a request made by ASA,
the certificate issued by the server was also installed on the CA of the ASA,
but now when i activate certificate validation on https on ASA, i get the error certificate failure and i cannot login.
Ntp was sync, and my client computer has a certificate from the CA (2003 server)
did any one get this before?

thank you
gazambeyIT CONSULTANTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
Error where?
if it's in a browser, it should give a reason (name mismatch is a common one)
btanExec ConsultantCommented:
you will need to verify the steps

- Ensure that the hostname and domain name of the security appliance are configured correctly. You can use the show running-config command to view the hostname and domain name as currently configured.

- Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. After you have defined a trustpoint, you can reference it by name in commands requiring that you specify a CA. If a security appliance has multiple trustpoints that share the same CA, only one of these trustpoints sharing the CA can be used to validate user certificates. Use the support-user-cert-validation command to control which trustpoint sharing a CA is used for validation of user certificates issued by that CA.

- Be sure that the security appliance clock is set accurately before configuring the CA. Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.

you can also check out the step 3 and 4 to ensure the FQDN to the SAME name you entered for the CN.
gazambeyIT CONSULTANTAuthor Commented:
thank you All,

Dave, the error is on the ASDM, i can see in the browser, the cert  is ok is show the number of time i connected to the ASA using the cert ''19x''.

Btan, i used the: www.petenetlive.com/KB/Article/0000694.htm
but i think if the browser is connecting with succès the issue may be some where else, let me go under more verification.

please attached pix they might help come up with an idea.

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

btanExec ConsultantCommented:
this adsm troubleshooting guide maybe handy (can see "HTTP 404 not found (type 1)") or maybe try another browser too (which unlikely to help alot either)
gazambeyIT CONSULTANTAuthor Commented:
i tryed another browser, and i got cert the error:
Mismatched address,
the security certificate presented by this website was issued for a differente website's address.
this problem might indicate an attempt to foul you or intercept any data you sent to the server.

thank you
btanExec ConsultantCommented:
You are getting: "Mismatch Address" is actually because the CN that you have created for the certificate does not match to the URL that you uses to access the SSL website. Hence the mismatch. So if you check out your certificate, see what is configured under CN, and if that matches to what you use to access the URL.
Dave HoweSoftware and Hardware EngineerCommented:
OK. You are using the java based client and having issues getting it to validate - this would be because java has its *own* keystore for CA certificates, which you can most easily manipulate using This Tool (once you have updated one, the resulting cacerts file can be pushed out to other machines as you see fit)

option you will want is
import -> Keystore's entry -> Trusted certificate -> Root CA certificate
and the default password for the root store is "changeit" :)
Dave HoweSoftware and Hardware EngineerCommented:
as btan points out, the certificate needs to be valid for the host you are connecting to, exactly as you typed (so if it has more than one name and/or an IP address, you would need a SAN cert to cover all those usage cases)
gazambeyIT CONSULTANTAuthor Commented:
thank you all,
let me get to the job and i will inform you soon,
gazambeyIT CONSULTANTAuthor Commented:
Hello All

This is what Is do . I generated the Cert using the CN as the IP adress of the ASA . This is the same i used to access this ASA.

Question Am i obliged to use a Domain Name?
And the firefox error suggest that my cert is Coming from a Not Trusted CA . I wonder if it is because I'm using an internal CA
btanExec ConsultantCommented:
the FF certstore needs the internal CA cert to be inside the trusted root store else it will flagged unknown issuer (e.g. Identifies the entity that issued the certificate.). can see "Importing a Root Certificate"

The cert8.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox. For the other specific issuer related errors, pls see below.
>"The certificate is not trusted because the issuer certificate is unknown" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-the-issuer-certificate-is-unknown
>"The certificate is not trusted because no issuer chain was provided" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-no-issuer-chain-was-provided
>"The certificate is not trusted because it is self-signed" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-it-is-self-signed

For the matching of the CN and FQDN has to be from the same domain and hostname, another means is use of wild card cert or SAN (subject alternate name) having the other domain stated (e.g. the SAN is for list of website addresses that the certificate can be used to identify). See also error.
>"Certificate is only valid for (site name)" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_certificate-is-only-valid-for-site-name

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HoweSoftware and Hardware EngineerCommented:
I would try the following.

1) download and install xca (I seem to be recommending this a lot this week :)

2) create your own CA in xca - export this as a pem (cer) file with certificate only

3) create a SAN certificate in xca with both the domain name and ip address in it; set the cn to be the domain name, and export this as a pfx

4) import the CA cert into all root stores (ASA, java, firefox, chrome, whatever)

5) install the pfx onto the ASA for use with the webserver

6) test :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.