ASA Certifiate does not match the server name

Question

I am trying to install a certificate on my Cisco ASA 5515. It has my local Windows 2012 CA as a trusted CA. The domain has also had this CA applied to their trusted root.

Whenever I try to connect from the outside via anyConnect VPN I get an untrusted certificate error, specifically "Certificate does not match the server name".

The device hostname is vpn, domain name is example.com. The Certificate is issued to cn=vpn.example.com issued by cn=corp-dc1-CA,dc=corp,dc=example,dc=com.

I do have 2 autonomous domains configured: corp.example.com is an internal domain which is not registered with GoDaddy; example.com is registered with GoDaddy.

I used a CSR from the ASA to generate a cert on my CA and installed the new cert on my ASA, but still no luck.

what name uses anyConnect to connect the VPN server? Name in the certificate must match the one entered in the textbox where you type connection address. — Crypt32, Nov 18 '15 at 19:44
vpn.example.com is used for the anyConnect client as well as the web application to download the client. — Tony DeJesus, Nov 18 '15 at 19:55

score 1 · Answer 1 · edited Jun 30 '17 at 11:56

You've probably fixed this now, but the fix I found was to

Confirm that the certificate is installed against the trustpoint, valid — check your date and time on the ASA and the start and expiry on the certificate!
Make sure you entered the command to associate the trustpoint with the external interface which will receive the VPN requests; this is normally the fix.
```
ssl trust-point "Trustpoint_name" Interface_Name
```

ASA Certifiate does not match the server name

1 Answers1