Cisco ASA Firewall Presents Only “ASA Temporary Self Signed Certificate”

Recently we started to get reports of untrusted certificates for AnyConnect and when accessing the ASDM web page. When you browse to the web site it was presenting the default “ASA Temporary Self Signed Certificate” rather than our public SSL certificate.

After opening a case with Cisco TAC about this they pointed us to the release notes issue in ASA 9.4(x):

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:

ssl cipher tlsv1.2 custom
“AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”

As soon as I added the command into our ASA it started working again. It sounds like this should be a default entry going forward for all ASA firewalls.

Want to learn more about elliptic curve cryptography  or look at this for a primer.

8 thoughts on “Cisco ASA Firewall Presents Only “ASA Temporary Self Signed Certificate””

  1. Thanks very much for sharing this issue, specifically the resolution. I had this exact problem today and was confused as to why the public cert was no longer being displayed. Your resolution provided a very quick solution. Thanks again.

  2. Many thanks, didn’t check the release note and found that there is a problem with VPN connection. This post is really useful.

  3. Same here. Been scratching my head for days having reconfigured an ASA, why it wouldn’t use the certificate I gave it. Lifesaver man.

  4. Thanks man you are a lifesaver. That is pretty stupid on Cisco’s part. I’m just glad they got it fixed. This ASA I was working on had this older IOS version on it.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.