Cisco ASA – Cannot Enable Third Party Certificate (9.4 and later)

KB ID 0001106

Problem

I installed a third party certificate for a client on their ASA (from Digicert). And followed my usual procedure. I enabled it on the outside interface and tested AnyConnect, it wasn’t working.

ASA certificate

The ASA refused to present anything other than its self signed certificate.

Solution

This is because after 9.4 the ASA will automatically present a certificate that has an elliptical curve cipher. Even if the ASA has a configured Truspoint (based on RSA).

To rectify this you need to execute the following command;

Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

Providing you enabled the certificate correctly, it should work straight away.

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On