Cisco ASA – Cannot Enable Third Party Certificate (9.4 and later)


KB ID 0001106 Dtd 08/09/15


I installed a third party certificate for a client on their ASA (from Digicert). And followed my usual procedure. I enabled it on the outside interface and tested AnyConnect, it wasn't working.

ASA certificate

The ASA refused to present anything other than its self signed certificate.


This is because after 9.4 the ASA will automatically present a certificate that has an elliptical curve cipher. Even if the ASA has a configured Truspoint (based on RSA).

To rectify this you need to execute the following command;

Petes-ASA> enable  Password: ********  Petes-ASA# configure terminal  Petes-ASA(config)# ssl cipher tlsv1.2 custom  "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

Providing you enabled the certificate correctly, it should work straight away.

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On