topic Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why? in Network Security

Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

dsart — Fri, 29 Mar 2019 14:01:11 GMT

I get this message now when I add a new user for in the local CA server. Is Cisco removing the local CA server completely from the 5506-X?? WHY?

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

balaji.bandi — Fri, 29 Mar 2019 21:33:15 GMT

Yes you are correct as per 9.12 release notes.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/release/notes/asarn912.pdf

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

cristianpop — Mon, 14 Oct 2019 12:04:12 GMT

Hi,

The 9.12 release notes states that "This feature has become obsolete...". Is there another feature replacing it?

I'm running a Local CA server and issue certificates for devices that connect to VPN. This adds a layer of security since a valid certificate besides a password is required to be able to connect to the VPN service. Is there another way of doing this in the future if ASAs will no longer have the Local CA feature?

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

Rob Ingram — Mon, 14 Oct 2019 14:54:16 GMT

Hi,
The other options are getting the certificate signed by a public CA such as Verisign or Comodo. Alternatively you could use a Cisco IOS router as a CA or a Windows Server.

HTH

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

cristianpop — Tue, 15 Oct 2019 06:37:22 GMT

Hi,

Thanks for your response. Can you please point me to some documentation on how to configure the user certificates on the ASA if they are from a public CA? Until now I always issued the user certificates from the ASA's local CA.

As I mentioned before, we use both a valid user certificate and a valid username\password combo to authenticate AnyConnect VPN clients.

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

balaji.bandi — Tue, 15 Oct 2019 07:29:44 GMT

here is the guide for PKI :

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

cristianpop — Tue, 15 Oct 2019 07:40:54 GMT

Hi,

I'm talking about the User Certificates. If the Local CA will be gone, how do I install certs from other CA's in the ASA for the AnyConnect VPN users (AAA/Local Users). I am authenticating them with username\password and a certificate.

Thanks,

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

balaji.bandi — Tue, 15 Oct 2019 11:53:34 GMT

The document provide you to generate Certifiace from Public CA and install on ASA for the users to use.

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

Peter Long — Fri, 08 Nov 2019 14:21:09 GMT

Use the following to deploy Window sCertificat eServicves to do the same job

ASA Local CA Depreciated: Use Windows CA

Pete

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

cristianpop — Thu, 21 Nov 2019 10:12:11 GMT

Hi. Great video! I think there's some misunderstanding in this thread though.

Our ASA has a certificate from a public CA, that's not the problem.

Remote AnyConnect client software (mobile and laptops) connect to our ASA via IPSec tunnel and are required to have a valid username\password combination AND A VALID USER CERTIFICATE. This user certificate (which is installed on the clients both mobile devices and laptops) is issued by the ASA's Local CA by adding a user, see the attached pic. If I start issuing certs to my users from a public CA will the ASA accept the certificate?

Thanks,

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

Peter Long — Thu, 21 Nov 2019 11:41:37 GMT

The cert on your ‘outside’ interface can be publicly signed, if you want to use self CA Signed user certificates from your own CA (usually by domain auto enrolment), then you just need to import the root CA from your Windows CA into the firewall and the firewall will trust those certs 😊

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

Peter Long — Thu, 21 Nov 2019 11:45:34 GMT

At present you have a public signed Cert on the ASA, and privately signed certs for your users, from ASA CA

If you switch to

Publicly signed certificate on the ASA and privately signed certificates from Windows CA

Then nothing changes with your public cert, leave it where it is its fine.

You simply need to

1. Issue user certs to your users (Auto enrolment will do that for you)

2. Import the Root CA cert from your Windows CA onto the ASA and it will trust your user certs.

Pete

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

cristianpop — Thu, 21 Nov 2019 12:19:08 GMT

The answer I've been looking for! Thank you so much, I have been avoiding software updates on the ASA because of this. Now I can go ahead (after making a proper CA) 😄

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

dsart — Thu, 21 Nov 2019 14:18:54 GMT

So the private certs generated from the ASA and generated from the Windows
CA will work simultaneously?

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

Peter Long — Thu, 21 Nov 2019 14:37:39 GMT

YES! If they are both in date, and both the CA Certificates are in date 🙂

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

MarkJones42868 — Tue, 28 Apr 2020 13:24:59 GMT

Hi,

We are also using the local CA server at present. I understand that once it's gone we won't be able to issue new certificates, but does anyone know if it will also render current certificates invalid? My assumption is that it will as there will be no CA to validate the certificates against.

I know it's probably a bit of a stab in the dark but does anyone have any guesses as to when Cisco are likely to remove CA server completely, i.e. how much time do I realistically have to implement an alternative?

Many thanks,

Mark

Re: Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

Peter Long — Tue, 28 Apr 2020 14:03:31 GMT

As long as the client still trusts the CA then the issued certificates will remain valid, (as long as they are in date, and not on a revoke list).

As for when it will be retired - who knows 😞