certificate on ASA
i have serious issues
I generated a cert on 2003 serveur and installed it on cisco ASA Identity certificate from a request made by ASA,
the certificate issued by the server was also installed on the CA of the ASA,
but now when i activate certificate validation on https on ASA, i get the error certificate failure and i cannot login.
Ntp was sync, and my client computer has a certificate from the CA (2003 server)
did any one get this before?
thank you
I generated a cert on 2003 serveur and installed it on cisco ASA Identity certificate from a request made by ASA,
the certificate issued by the server was also installed on the CA of the ASA,
but now when i activate certificate validation on https on ASA, i get the error certificate failure and i cannot login.
Ntp was sync, and my client computer has a certificate from the CA (2003 server)
did any one get this before?
thank you
you will need to verify the steps
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cert_cfg.html#wp1042284
- Ensure that the hostname and domain name of the security appliance are configured correctly. You can use the show running-config command to view the hostname and domain name as currently configured.
- Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. After you have defined a trustpoint, you can reference it by name in commands requiring that you specify a CA. If a security appliance has multiple trustpoints that share the same CA, only one of these trustpoints sharing the CA can be used to validate user certificates. Use the support-user-cert-validati
- Be sure that the security appliance clock is set accurately before configuring the CA. Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.
you can also check out the step 3 and 4 to ensure the FQDN to the SAME name you entered for the CN.
http://www.petenetlive.com/KB/Article/0000694.htm
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cert_cfg.html#wp1042284
- Ensure that the hostname and domain name of the security appliance are configured correctly. You can use the show running-config command to view the hostname and domain name as currently configured.
- Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. After you have defined a trustpoint, you can reference it by name in commands requiring that you specify a CA. If a security appliance has multiple trustpoints that share the same CA, only one of these trustpoints sharing the CA can be used to validate user certificates. Use the support-user-cert-validati
- Be sure that the security appliance clock is set accurately before configuring the CA. Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.
you can also check out the step 3 and 4 to ensure the FQDN to the SAME name you entered for the CN.
http://www.petenetlive.com/KB/Article/0000694.htm
ASKER
thank you All,
Dave, the error is on the ASDM, i can see in the browser, the cert is ok is show the number of time i connected to the ASA using the cert ''19x''.
Btan, i used the: www.petenetlive.com/KB/Article/0000694.htm
but i think if the browser is connecting with succès the issue may be some where else, let me go under more verification.
please attached pix they might help come up with an idea.
thanks
ASA.PNG
verify.PNG
Dave, the error is on the ASDM, i can see in the browser, the cert is ok is show the number of time i connected to the ASA using the cert ''19x''.
Btan, i used the: www.petenetlive.com/KB/Article/0000694.htm
but i think if the browser is connecting with succès the issue may be some where else, let me go under more verification.
please attached pix they might help come up with an idea.
thanks
ASA.PNG
verify.PNG
this adsm troubleshooting guide maybe handy (can see "HTTP 404 not found (type 1)") or maybe try another browser too (which unlikely to help alot either)
https://supportforums.cisco.com/document/57701/asdm-access-troubleshooting
https://supportforums.cisco.com/document/57701/asdm-access-troubleshooting
ASKER
Btan,
i tryed another browser, and i got cert the error:
Mismatched address,
the security certificate presented by this website was issued for a differente website's address.
this problem might indicate an attempt to foul you or intercept any data you sent to the server.
thank you
i tryed another browser, and i got cert the error:
Mismatched address,
the security certificate presented by this website was issued for a differente website's address.
this problem might indicate an attempt to foul you or intercept any data you sent to the server.
thank you
You are getting: "Mismatch Address" is actually because the CN that you have created for the certificate does not match to the URL that you uses to access the SSL website. Hence the mismatch. So if you check out your certificate, see what is configured under CN, and if that matches to what you use to access the URL.
https://www.sslshopper.com/ssl-certificate-name-mismatch-error.html
https://www.sslshopper.com/ssl-certificate-name-mismatch-error.html
OK. You are using the java based client and having issues getting it to validate - this would be because java has its *own* keystore for CA certificates, which you can most easily manipulate using This Tool (once you have updated one, the resulting cacerts file can be pushed out to other machines as you see fit)
option you will want is
import -> Keystore's entry -> Trusted certificate -> Root CA certificate
and the default password for the root store is "changeit" :)
option you will want is
import -> Keystore's entry -> Trusted certificate -> Root CA certificate
and the default password for the root store is "changeit" :)
as btan points out, the certificate needs to be valid for the host you are connecting to, exactly as you typed (so if it has more than one name and/or an IP address, you would need a SAN cert to cover all those usage cases)
ASKER
thank you all,
let me get to the job and i will inform you soon,
BR,
let me get to the job and i will inform you soon,
BR,
ASKER
Hello All
This is what Is do . I generated the Cert using the CN as the IP adress of the ASA . This is the same i used to access this ASA.
Question Am i obliged to use a Domain Name?
And the firefox error suggest that my cert is Coming from a Not Trusted CA . I wonder if it is because I'm using an internal CA
Cert-Windows-Explorer.jpg
error-Firefox.jpg
This is what Is do . I generated the Cert using the CN as the IP adress of the ASA . This is the same i used to access this ASA.
Question Am i obliged to use a Domain Name?
And the firefox error suggest that my cert is Coming from a Not Trusted CA . I wonder if it is because I'm using an internal CA
Cert-Windows-Explorer.jpg
error-Firefox.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would try the following.
1) download and install xca (I seem to be recommending this a lot this week :)
2) create your own CA in xca - export this as a pem (cer) file with certificate only
3) create a SAN certificate in xca with both the domain name and ip address in it; set the cn to be the domain name, and export this as a pfx
4) import the CA cert into all root stores (ASA, java, firefox, chrome, whatever)
5) install the pfx onto the ASA for use with the webserver
6) test :)
1) download and install xca (I seem to be recommending this a lot this week :)
2) create your own CA in xca - export this as a pem (cer) file with certificate only
3) create a SAN certificate in xca with both the domain name and ip address in it; set the cn to be the domain name, and export this as a pfx
4) import the CA cert into all root stores (ASA, java, firefox, chrome, whatever)
5) install the pfx onto the ASA for use with the webserver
6) test :)
if it's in a browser, it should give a reason (name mismatch is a common one)