![Failure Failure](/uploads/1/2/4/8/124892210/448050750.png)
Hi,
The Daily Build. Fixing Certificate Errors with Cisco AnyConnect. I followed all these instructions and I still am getting certificate validation issues causing the gateway is not trustworthy in 12.04 (i386). Interesting side note is I can connect to my lab ASA just fine. Although your answer is 100% correct, it might also become 100% useless if that link is moved, changed, or the main site just disappears.:-( Therefore, please edit your answer, and copy the relevant steps from the link into your answer, thereby guaranteeing your answer for 100% of the lifetime of this site!;-) You can always leave the link in at the bottom of your answer as a source for.
I am getting certificate validation error when connecting anyconnect
Below is the information .
I have root ca and sub ca (microsoft internal ) ,
So i added both certificates under device management ->ca certificates (Two differnect trust points )
ROOT-CA
sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 29axxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RootCa
dc=testdom
dc=local
Subject Name:
cn=RootCa
dc=testdom
dc=local
Validity Date:
start date: 15:35:11 UTC Dec 24 2008
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint3------------------------------ROOT-CA
sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 29axxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RootCa
dc=testdom
dc=local
Subject Name:
cn=RootCa
dc=testdom
dc=local
Validity Date:
start date: 15:35:11 UTC Dec 24 2008
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint3------------------------------ROOT-CA
IDENTITY CERTIFICATE
Certificate
Status: Available
Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA512 with RSA Encryption
Issuer Name:
cn=testdom-INTCA
dc=testdom
dc=local
Subject Name:
cn=testdom-Internet-FW
CRL Distribution Points:
[1] ldap:///CN=testdom-INTCA,CN=CERSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
[2] http://CERSRV.testdom.local/CertEnroll/testdom-INTCA.crl
Validity Date:
start date: 11:33:48 UTC Apr 18 2017
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint2------identity certificate
Status: Available
Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA512 with RSA Encryption
Issuer Name:
cn=testdom-INTCA
dc=testdom
dc=local
Subject Name:
cn=testdom-Internet-FW
CRL Distribution Points:
[1] ldap:///CN=testdom-INTCA,CN=CERSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
[2] http://CERSRV.testdom.local/CertEnroll/testdom-INTCA.crl
Validity Date:
start date: 11:33:48 UTC Apr 18 2017
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint2------identity certificate
-SUBORDINATE CA
CA Certificate
Status: Available
Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RootCa
dc=testdom
dc=local
Subject Name:
cn=testdom-INTCA
dc=testdom
dc=local
CRL Distribution Points:
[1] ldap:///CN=RootCa,CN=AD02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 16:04:06 UTC Jan 30 2017
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint1-------------------SUBORDINATE CA
IDENTITY CERTIFICAT'S EKU set to Server Authentication (1.3.6.1.5.5.7.3.1)
and the user certificate eku set to client authentication
show crypto ca trustpoints
Trustpoint _SmartCallHome_ServerCA:
Not authenticated.
Not authenticated.
Trustpoint ASDM_TrustPoint0:
Not authenticated.
Trustpoint ASDM_TrustPoint1:
Subject Name:
cn=testdom-INTCA
dc=testdom
dc=local
Serial Number: 15xxxxxxxxxxxxxxxxxxx
Certificate configured.
Trustpoint ASDM_TrustPoint2:
Not authenticated.
(Q. Why it is not authenticated ? )
Trustpoint ASDM_TrustPoint3:
Subject Name:
cn=RootCa
dc=testdom
dc=local
Serial Number: 29xxxxxxxxxxxxxxxx
Certificate configured.
Subject Name:
cn=RootCa
dc=testdom
dc=local
Serial Number: 29xxxxxxxxxxxxxxxx
Certificate configured.
tunnel-group test webvpn-attributes
authentication aaa certificate
authentication aaa certificate
I have split domain testdom.local and testdom.com
so the user principal name is [email protected] (not [email protected] )
the certificate cn is [email protected]
so the user principal name is [email protected] (not [email protected] )
the certificate cn is [email protected]
Thanks