Replacing A Digital Certificate With A Trusted Certificate - Cisco 5505 - ASA Firewall Edition Bundle Administrator's Manual

Administration guide

Hide thumbs Also See for 5505 - ASA Firewall Edition Bundle:

Configuration manual (1822 pages)

Getting started manual (168 pages)

Hardware installation manual (82 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

page of 118

/ 118
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 2

Common AnyConnect VPN Client Installation and Configuration Procedures

Click OK to close the Certificate window.

Step 9

Click Yes to close the Security Alert window.

Step 10

The security appliance window opens, signifying the certificate is trusted.

In Response to a Netscape, Mozilla, or Firefox "Certified by an Unknown Authority" Window

The following procedure explains how to install a self-signed certificate as a trusted root certificate on

a client in response to a "Web Site Certified by an Unknown Authority" window. This window opens

when you establish a Netscape, Mozilla, or Firefox connection to a security appliance that is not

recognized as a trusted site. This window shows the following text:

Install the certificate as a trusted root certificate as follows:

Click the Examine Certificate button in the "Web Site Certified by an Unknown Authority" window.

Step 1

The Certificate Viewer window opens.

Click the "Accept this certificate permanently" option.

Step 2

Click OK.

Step 3

The security appliance window opens, signifying the certificate is trusted.

Replacing a Digital Certificate with a Trusted Certificate

A trusted Certificate is the most secure option. You can replace the central-site security appliance digital

certificate with a trusted certificate by following the procedures in this section. By default, the security

appliance has a self-signed Certificate that is regenerated every time the device is rebooted. You can

purchase a Certificate from a CA provider like Verisign or Entrust with the name matching the

Fully-Qualified Domain Name (FQDN) of your central-site security appliance (for example,

vpn.yoursys.com), or you can have the security appliance issue a permanent Certificate for itself by

entering the following commands, replacing x.x.x.x with the IP of your security appliance outside or

public address:

crypto ca trustpoint self

enrollment self

subject-name CN=x.x.x.x,CN=vpn.yoursys.com

crl configure

crypto ca enroll self

ssl trust-point self outside

write

When users first connect using AnyConnect, they should click "View Certificate", install this new

certificate, then click "Yes" to proceed. The next time they re-connect, they do not see the security alert

popup, even if the security appliance is rebooted.

OL-12950-012

Unable to verify the identity of <Hostname_or_IP_address> as a trusted site.

Before You Install the AnyConnect Client

Cisco AnyConnect VPN Client Administrator Guide

2-7

Table of Contents

Replacing A Digital Certificate With A Trusted Certificate - Cisco 5505 - ASA Firewall Edition Bundle Administrator's Manual

Replacing a Digital Certificate with a Trusted Certificate

Related Manuals for Cisco 5505 - ASA Firewall Edition Bundle

Related Content for Cisco 5505 - ASA Firewall Edition Bundle

Table of Contents