Solved

certificate on ASA

Posted on 2014-10-17
12
412 Views
Last Modified: 2014-11-12
i have serious issues

I generated a cert on 2003 serveur and installed it on cisco ASA Identity certificate from a request made by ASA,
the certificate issued by the server was also installed on the CA of the ASA,
but now when i activate certificate validation on https on ASA, i get the error certificate failure and i cannot login.
Ntp was sync, and my client computer has a certificate from the CA (2003 server)
did any one get this before?

thank you
0
Comment
Question by:gazambey
  • 4
  • 4
  • 4
12 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40388612
Error where?
if it's in a browser, it should give a reason (name mismatch is a common one)
0
 
LVL 61

Expert Comment

by:btan
ID: 40388686
you will need to verify the steps
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cert_cfg.html#wp1042284

- Ensure that the hostname and domain name of the security appliance are configured correctly. You can use the show running-config command to view the hostname and domain name as currently configured.

- Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. After you have defined a trustpoint, you can reference it by name in commands requiring that you specify a CA. If a security appliance has multiple trustpoints that share the same CA, only one of these trustpoints sharing the CA can be used to validate user certificates. Use the support-user-cert-validation command to control which trustpoint sharing a CA is used for validation of user certificates issued by that CA.

- Be sure that the security appliance clock is set accurately before configuring the CA. Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.

you can also check out the step 3 and 4 to ensure the FQDN to the SAME name you entered for the CN.
http://www.petenetlive.com/KB/Article/0000694.htm
0
 

Author Comment

by:gazambey
ID: 40390691
thank you All,

Dave, the error is on the ASDM, i can see in the browser, the cert  is ok is show the number of time i connected to the ASA using the cert ''19x''.

Btan, i used the: www.petenetlive.com/KB/Article/0000694.htm
but i think if the browser is connecting with succès the issue may be some where else, let me go under more verification.

please attached pix they might help come up with an idea.

thanks
ASA.PNG
verify.PNG
0
 
LVL 61

Expert Comment

by:btan
ID: 40391111
this adsm troubleshooting guide maybe handy (can see "HTTP 404 not found (type 1)") or maybe try another browser too (which unlikely to help alot either)
https://supportforums.cisco.com/document/57701/asdm-access-troubleshooting
0
 

Author Comment

by:gazambey
ID: 40391665
Btan,
i tryed another browser, and i got cert the error:
Mismatched address,
the security certificate presented by this website was issued for a differente website's address.
this problem might indicate an attempt to foul you or intercept any data you sent to the server.

thank you
0
 
LVL 61

Expert Comment

by:btan
ID: 40391831
You are getting: "Mismatch Address" is actually because the CN that you have created for the certificate does not match to the URL that you uses to access the SSL website. Hence the mismatch. So if you check out your certificate, see what is configured under CN, and if that matches to what you use to access the URL.
https://www.sslshopper.com/ssl-certificate-name-mismatch-error.html
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 33

Expert Comment

by:Dave Howe
ID: 40391837
OK. You are using the java based client and having issues getting it to validate - this would be because java has its *own* keystore for CA certificates, which you can most easily manipulate using This Tool (once you have updated one, the resulting cacerts file can be pushed out to other machines as you see fit)

option you will want is
import -> Keystore's entry -> Trusted certificate -> Root CA certificate
and the default password for the root store is "changeit" :)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40392023
as btan points out, the certificate needs to be valid for the host you are connecting to, exactly as you typed (so if it has more than one name and/or an IP address, you would need a SAN cert to cover all those usage cases)
0
 

Author Comment

by:gazambey
ID: 40393800
thank you all,
let me get to the job and i will inform you soon,
BR,
0
 

Author Comment

by:gazambey
ID: 40394163
Hello All

This is what Is do . I generated the Cert using the CN as the IP adress of the ASA . This is the same i used to access this ASA.

Question Am i obliged to use a Domain Name?
And the firefox error suggest that my cert is Coming from a Not Trusted CA . I wonder if it is because I'm using an internal CA
Cert-Windows-Explorer.jpg
error-Firefox.jpg
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40394206
the FF certstore needs the internal CA cert to be inside the trusted root store else it will flagged unknown issuer (e.g. Identifies the entity that issued the certificate.). can see "Importing a Root Certificate"
https://wiki.mozilla.org/CA:UserCertDB#Importing_a_Root_Certificate

The cert8.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox. For the other specific issuer related errors, pls see below.
>"The certificate is not trusted because the issuer certificate is unknown" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-the-issuer-certificate-is-unknown
>"The certificate is not trusted because no issuer chain was provided" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-no-issuer-chain-was-provided
>"The certificate is not trusted because it is self-signed" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-it-is-self-signed

For the matching of the CN and FQDN has to be from the same domain and hostname, another means is use of wild card cert or SAN (subject alternate name) having the other domain stated (e.g. the SAN is for list of website addresses that the certificate can be used to identify). See also error.
>"Certificate is only valid for (site name)" - https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_certificate-is-only-valid-for-site-name
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40394308
I would try the following.

1) download and install xca (I seem to be recommending this a lot this week :)

2) create your own CA in xca - export this as a pem (cer) file with certificate only

3) create a SAN certificate in xca with both the domain name and ip address in it; set the cn to be the domain name, and export this as a pfx

4) import the CA cert into all root stores (ASA, java, firefox, chrome, whatever)

5) install the pfx onto the ASA for use with the webserver

6) test :)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now