These days all the devices have Trust Issues!
In order to get rid of the warning every time you connect to the VPN using Cisco AnyConnect using the default self-signed certificate installed in the Cisco ASA Firewall, you can install a free certificate from Let’s Encrypt. They only issue 90 day certs, but free to renew for a lifetime. On linux, the process of renewal can easily be automated, but not on a Cisco device. Eventhough Cisco is mentioned as a sponsor on Let’s Encrypt’s website, as of this writing, this is a manual certificate renewal process, until Cisco devices natively implement the ACME protocol. That being said, here’s the quick and dirty way using free online tools to make the process easy:
Step 1:Â Go to ZeroSSL.com
That’s just the web based version of Let’s Encrypt, since Let’s Encrypt only get’s certificates using its ACME protocol that the linux app Certbot uses on an Apache server, …. well that’s the most common use case.
Input all the details, be sure to write all the subdomains along with the top level domain (TLD). You can add up to 10 domains/subdomains in the domain section.
Update: Wildcard certificates are now paid.
Note: HTTP verification does not work with wildcard domains (*.domain.com). You must use DNS verification for that.
Verify your domain by entering the TXT value they provide in your domain name provider’s DNS entries (goDaddy, Google Domains, etc). I had to wait 15 mins before the DNS changes carried over to get verified.
Tip: Put a dot “.” after the domain, I had issues validating without it (like: _abcd.domainname.com.)
Check if the record shows up using:
Windows: NSLookup -q=TXT YourDomain.com Mac: dig -t txt YourDomain.com | grep TXT Online: https://dnschecker.org/#TXT
Once verified, you’ll be able to download the key’s, CSR, and certificate. Save it in a safe location on ur computer as a .txt file.
Here are the files you should have:
- account-key.txt
- domain-crt.txt
- domain-csr.txt
- domain-key.txt
Tip: Use the account-key.txt and domain-csr.txt to generate a renewal certificate file. You can avoid a re-validation and re-creating those 3 other files, simply by renewing it within 60 days, instead of 90. After 90 days, you will need to validate your domain again, preferably using DNS entries.
Step 2: Convert your Cert to a .pkcs file
The certs you get are in .txt format. That works, sometimes it gives an error. In that case, manually change the extension to .PEM format.
Cisco ASA accepts the .PKCS format that combines the certificate and key in one bundle.
CLI
Native on a mac, you can use OpenSSL:
openssl pkcs12 -export -in certificate.crt -inkey private.key -out cert.pfx -certfile ca_bundle.crt
Note: Enter the “optional” PFX Password as the ASA will not accept the file without one. I learnt the hard way!
Online Tool
Go to an online SSL converter like this one, and convert the file.
Step 3: Import the Certificate in the ASA
In the ASDM (CLI not discussed here as this is the “easy way”), go to:
Configure > Device Management > Certificate Management > Identity Certificates
and add the newly created .pfx file. Don’t for get the passphrase created earlier (not shown in the screenshot). The certificate will get added in the list. (first item in the screenshot)
Check to see if the CA certificate was installed automatically:
Apply the certificate to the outside interface (for AnyConnect):
Note: If the ASDM hangs in the last step (which it did once for me), SSH into the firewall and perform enter this command to do it manually:
ssl trust-point Cert outside
(where “Cert” is the name you gave to the certificate and “outside” is the name of your WAN interface)
A restart or saving configurations is NOT required.
Step 4: Validate
Check using the online SSL Checker to validate if the certificate is installed.
Next time you sign into AnyConnect, you won’t get that annoying warning message again.
ASDM Login Certificate
The ASDM login will still have Trust Issues as the certificate doesn’t have the name of the internal IP address of the ASA that you use to log in. To solve that you will need to log in using the Fully Qualified Domain Name [FQDN] of the firewall (like asa.domain.com). That’s beyond the scope of this tutorial.