nerdexam
Exams300-730Questions#157
Cisco

300-730 · Question #157

300-730 Question #157: Real Exam Question with Answer & Explanation

The correct answer is B: Reissue the certificate with asa.lab in the subject alternate name field.. The untrusted certificate warning occurs because the ASA certificate does not contain the hostname 'asa.lab' in the Subject Alternative Name field, even though the signing CA is already trusted by the users.

Troubleshooting VPNs

Question

Users are getting untrusted server warnings when they connect to the URL https://asa.lab from their browsers. This URL resolves to 192.168.10.10, which is the IP address for a Cisco ASA configured for a clientless VPN. The VPN was recently set up and issued a certificate from an internal CA server. Users can connect to the VPN by ignoring the message, however, when users access other webservers that use certificates issued by the same internal CA server, they do not experience this issue. Which action resolves this issue?

Options

  • AImport the CA that signed the certificate into the machine trusted root CA store.
  • BReissue the certificate with asa.lab in the subject alternate name field.
  • CImport the CA that signed the certificate into the user trusted root CA store.
  • DReissue the certificate with 192.168.10.10 in the subject common name field.

Explanation

The untrusted certificate warning occurs because the ASA certificate does not contain the hostname 'asa.lab' in the Subject Alternative Name field, even though the signing CA is already trusted by the users.

Common mistakes.

  • A. Importing the CA into the machine trusted root store is unnecessary because the CA is already trusted - users encounter no warnings when accessing other servers that present certificates issued by the same internal CA.
  • C. Importing the CA into the user trusted root store is redundant for the same reason - the CA trust is already established, as confirmed by the absence of warnings on other servers using certificates from that CA.
  • D. Adding the IP address 192.168.10.10 to the common name does not resolve the issue because users connect via the hostname 'asa.lab', and modern browsers require the SAN field to match the requested hostname rather than relying on the common name alone.

Concept tested. Certificate Subject Alternative Name hostname mismatch resolution

Reference. https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-cert-group.html

Topics

#SSL certificate#SAN#clientless VPN#certificate validation

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice