I know this is 3 year's old, but as far as needing the same CA for ftd identity and client identity is no longer the case. Its not very clear on how to do it, but it does work.
Thanks for these videos Nathan, long overdue easy to follow videos for FMC/FTD really appreciate it! -I was looking for learning how to generate and install SSL certificates for RA VPN with a real public SSL provider and not an internal CA, process seems to be a little different, do you know an easy way or steps? maybe a new video? thanks so much!
Nathan I am using Yubikey SmartCard PIV access with imported certs from my internal CA. I enroll user certificates to the Yubikey. Internally all works fine wit yubikey smart card login to domain. However and im trying to establish external authentication with anyconnect using the card with no luck. I was able to get Https cert using your first video and I also add pki object trusted root of my internal CA (Not sure if this is necessary) anyways I always get invalid certificate when I try to use anyconnect. I don't know if this is even possible a this point to authenticate using the certficate on the yubikey to establish the VPN
This is absolutely possible and is likely due to either and incorrect certificate (miss-formated or missing private keys, and therefore invalid) or because Anyconnect is parsing the incorrect information for your chosen authentciation mecahnism. Using certificates is one thing, but which field are you trying to Auth against? you can use CN, FQDN, OU and many other certificate provided attributes.....
I ran into this as well. I ended up fixing this by regenerating the server certificate by following the walkthrough on this channel. He has another video for that. When I uploaded my original server certificate for the FMC, I didn't include the full chain (root CA and sub CA). This was evident by reviewing /var/log/http/httpsd_error_log on the FMC and seeing "unable to get local issuer certificate". Everything worked afterwords. I appreciate the walkthrough Nathan! I don't think I could of got this working without your help.
I know this is 3 year's old, but as far as needing the same CA for ftd identity and client identity is no longer the case. Its not very clear on how to do it, but it does work.
Thanks for these videos Nathan, long overdue easy to follow videos for FMC/FTD really appreciate it! -I was looking for learning how to generate and install SSL certificates for RA VPN with a real public SSL provider and not an internal CA, process seems to be a little different, do you know an easy way or steps? maybe a new video? thanks so much!
Bismark, Ill take a look at what this would take to do. Ill respond when I can commit to doing that for you!
@@NathanStapp Were you ever able to find info on this?
Nathan I am using Yubikey SmartCard PIV access with imported certs from my internal CA. I enroll user certificates to the Yubikey. Internally all works fine wit yubikey smart card login to domain. However and im trying to establish external authentication with anyconnect using the card with no luck. I was able to get Https cert using your first video and I also add pki object trusted root of my internal CA (Not sure if this is necessary) anyways I always get invalid certificate when I try to use anyconnect. I don't know if this is even possible a this point to authenticate using the certficate on the yubikey to establish the VPN
This is absolutely possible and is likely due to either and incorrect certificate (miss-formated or missing private keys, and therefore invalid) or because Anyconnect is parsing the incorrect information for your chosen authentciation mecahnism. Using certificates is one thing, but which field are you trying to Auth against? you can use CN, FQDN, OU and many other certificate provided attributes.....
I tried everything in the same way, but still getting the error: ERR_BAD_SSL_CLIENT_AUTH_CERT
hit me up via email, we can check this out when you get time.
I ran into this as well. I ended up fixing this by regenerating the server certificate by following the walkthrough on this channel. He has another video for that. When I uploaded my original server certificate for the FMC, I didn't include the full chain (root CA and sub CA). This was evident by reviewing /var/log/http/httpsd_error_log on the FMC and seeing "unable to get local issuer certificate". Everything worked afterwords.
I appreciate the walkthrough Nathan! I don't think I could of got this working without your help.