hi karsten,

how would you check if cert is self-signed or from public CA? is there a command i could use?

i tried to copy/paste the cert hex key from the 5510 but it showed me an error:

ERROR: Public key contained in the device certificate doesn't match the device's

ciscoasa(config-ca-crl)# crypto ca certificate chain ASDM_TrustPoint1

ciscoasa(config-cert-chain)#  certificate 137a39
Enter the certificate in hexadecimal representation....

ciscoasa#     30820521 30820409 a0030201 02020313

<SNIP>

ciscoasa(config-pubkey)#     e3b0f8db a7

ciscoasa(config-pubkey)#   quit
ERROR: Public key contained in the device certificate doesn't match the device's

i went ahead and generated a self-sign cert and enrolled afterwards.

ciscoasa(config)# crypto key generate rsa general-keys label  ASDM_TrustPoint1 modulus 2048
INFO: The name for the keys will be: ASDM_TrustPoint1
Keypair generation process begin. Please wait...

ciscoasa(config)# crypto ca enroll ASDM_TrustPoint1

% The fully-qualified domain name in the certificate will be: ciscoasa


% Include the device serial number in the subject name? [yes/no]: no


Generate Self-Signed Certificate? [yes/no]: yes

after the above i was able to type this command:

crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

i would assume the old admin did a self-sign cert since our environment doesn't have PKI.

please correct me when you say it's a public CA/PKI, it has the domain name, country, etc fields right?

You can look at the certificate with "show crypto ca certificate". But anyhow, if you export it on the old ASA and import it on the new one, it will have the same "trust-status" as before.

hi,

it looks like it has a public CA on the 5510.

could you advise on the steps on how to 'export' it to the 5525x?

or will the self-sign cert i generated on the 5525x will suffice?

# show crypto ca certificate
Certificate
  Status: Available
  Certificate Serial Number: 137a39
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=RapidSSL CA
    o=GeoTrust\, Inc.
    c=US
  Subject Name:
    cn=*.xyz.net
    ou=Domain Control Validated - RapidSSL(R)
    ou=See www.rapidssl.com/resources/cps (c)14
    ou=GT02345214
    serialNumber=XYa9uMV1vgWcrlFkJjw7pt-LVVABC123
  OCSP AIA:
    URL: http://rapidssl-ocsp.geotrust.com
  CRL Distribution Points:
    [1]  http://rapidssl-crl.geotrust.com/crls/rapidssl.crl
  Validity Date:
    start date: 22:34:33 UTC Jun 15 2014
    end   date: 05:13:51 UTC Jul 18 2018
  Associated Trustpoints: ASDM_TrustPoint1

Certificates that are referenced by trustpoints need several bits to make them valid on a given device. The certificate itself is just one of those bits.

You also need the private key that was used to generate the Certificate Signing Request (CSR). Without that, the certificate is invalid. Typically on an ASA the private key may not be exportable unless it was marked as such when generated. Your signing CA (geotrust in your example) is usually able to generate a new certificate when rehosting to a device where you are unable to copy over the original private key.

The other bits are any intermediate certificates in the chain between the public trusted root CA and the signing CA. That's also known as the certificate chain and is us ally available from the public CA's web site in various formats.

marvin,

can't i just do a export/import between 5510 and 5525 for the ASDM_TrustPoint1?

ciscoasa(config)# crypto ca export ASDM_TrustPoint1 pkcs12 cisco123

Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIINrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH

<SNIP>

GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
AgQA
-----END PKCS12-----

marvin,

thanks for the tip!

one last thing, i've noticed the ASDM_TrustPoint0 CA cert has a longer validity till 2020 vs ASDM_TrustPoint1 which is valid only till 2018.

can i point to ASDM_TrustPoint0 instead?

will anyconnect 'break 'or won't work in 2018 when CA cert expires?

You can only use the certificate associated with your ASA's private key. It is also the certificate which has your ASA's FQDN as the Common Name (CN). That's what makes the whole chain of trust concept work.

Certificates always have a fixed lifetime and need to be re-issued (re-purchased in the case of public ones) when they expire.

If you let a certificate expire, the client will get a warning about an untrusted site due to invalid (expired) certificate when they connect. Unless they explicitly accept it, the SSL VPN will not establish.

Hi Marvin,

I started a thread a couple days ago about a problem with VPN but the communication is too slow and I need to solve this ASAP. Can you help me out please???

Thanks in advance. BR.

gasparmenendez  

Please don't hijack unrelated threads.

hi marvin,

i got this line already pre-configured on the 5525-x.

i just need to ensure anyconnect will work before i do the cut over.

# sh run ssl | i trust-point
ssl trust-point ASDM_TrustPoint1 outside