topic Re: ASA certificates in Network Security

ASA certificates

carl_townshend — Thu, 07 Jan 2021 13:49:33 GMT

Hi All

When adding certificates to the ASA for anyconnect access, how come we need to add the cert of the Root CA on there?

what is that used for here?

I normally add the identity cert as well as the Root.

Cheers

Re: ASA certificates

balaji.bandi — Thu, 07 Jan 2021 15:37:04 GMT

You need CA certificate for FQDN

here is the steps :

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Re: ASA certificates

Marvin Rhoads — Thu, 07 Jan 2021 18:44:33 GMT

We add the issuing root CA certificate (and - recommended - intermediate CA certificates) so that the ASA itself and any clients can verify a complete chain of trust for the ASA's certificate. Some auditors and third party checkers (like Qualys) will tell you your ASA is less secure if you don't present the entire chain to a connecting client.

Re: ASA certificates

MHM Cisco World — Thu, 07 Jan 2021 20:19:26 GMT

Client-ASA
SSL use cert to make client auth the ASA and ASA auth the client.
so ASA have it is identity cert.
Now if client send cert to ASA how the ASA know that this cert is valid or not?
hmm
it need CA cert, but why?
simply the CA cert contain public CA key, when ASA receive the client cert there is digital signature in end of cert which is type of hash process, and this hash process use private key of CA.
note:- any hash use private key we can use public key to valid it, reverse process.
NOW the ASA has CA public and it receive the client cert,
it use public key of CA to check digital signature "hash" it valid or not.
that why we need CA cert.

Re: ASA certificates

MHM Cisco World — Thu, 07 Jan 2021 20:24:30 GMT

Re: ASA certificates

carl_townshend — Thu, 07 Jan 2021 20:43:15 GMT

so what certificate would the client present ?

also does the ASA need to talk to the CA?

Can you break it down in a process, I.e when the client connects what exactly happens ?

Re: ASA certificates

MHM Cisco World — Thu, 07 Jan 2021 22:12:23 GMT

client

CA cert

user cert

ASA

CA cert

identity cert

ASA-CA server no need in this case because as I thing you use copy paste

what exactly happened see below photo, any connect use SSL and this is general for all SSL.

Re: ASA certificates

Marvin Rhoads — Fri, 08 Jan 2021 05:14:13 GMT

I think I misunderstood the original question.

When the CLIENT is authenticating using a certificate, the ASA needs to know that it can trust that certificate. The way it does so is by examining the certificate presented by the client to ascertain the issuing root CA. Only if it trusts the issuing root CA does it accept the client's certificate as trusted for authentication purposes. An ASA by default doesn't trust any third party root CAs, thus we need to add them onto the ASA.

Clients themselves don't usually have this problem when connecting to the ASA (assuming you've used a well-known public CA for your ASA identity certificate) since they rely on the operating system Trusted Root CA store which is updated by the OS vendor (Microsoft, Apple etc.) to include the most public CAs.

Re: ASA certificates

carl_townshend — Fri, 08 Jan 2021 16:38:07 GMT

Hi there

In my case, we do not use certificate based authentication for our VPN, we just put a certificate on our ASA so when we connnect to it the clients trust it.

In this case how does it work? do we still need the CA and Identity cert on our ASA?

Cheers

Re: ASA certificates

Marvin Rhoads — Fri, 08 Jan 2021 18:13:25 GMT

You don't strictly require the root (or issuing in case an intermediate CA issued the certificate) CA certificate but it's a best practice.

The certificate on your ASA used for the VPN clients IS an identity cert.