topic Re: 3rd Party SSL cert on asa in Network Security

3rd Party SSL cert on asa

pcresswell — Fri, 21 Feb 2020 08:37:53 GMT

Hi,

Has anyone put a 3rd party (e.g. Verisign) SSL cert on an ASA for WebVPN? I am having trouble finding documentation describing how i generate the certificate request and specify the info like compnay name, city etc... for the request. Please could someone point me in the correct direction?

Thanks,

Peter

Re: 3rd Party SSL cert on asa

r-simpson — Thu, 12 Jan 2006 16:41:15 GMT

I think the following link will help you in sending a SSL certificate request.

http://www.cisco.com/en/US/products/sw/netmgtsw/ps533/products_user_guide_chapter09186a008019e1ec.html#1006850

Re: 3rd Party SSL cert on asa

r.vdoever — Fri, 05 May 2006 20:37:47 GMT

You problaby already did this, but I'll post it in case anyone else need this info.

RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:

crypto key generate rsa

Then define the trustpoint:

crypto ca trustpoint Verisign

crl optional

enrollment terminal

subject-name CN=host.domain.com,OU=Unit,O=Organisation,C=NL,St=xxx,L=xxx,EA=postmaster@domain.com

Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):

crypto ca authenticate Verisign

---BEGIN--- or ---END--- lines do not matter>

quit

INFO: Certificate has the following attributes:

Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

Generate the CSR:

crypto ca enroll Verisign

% Start certificate enrollment ..

% The subject name in the certificate will be: xxxx

% The fully-qualified domain name in the certificate will be: hostname.domain.com

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

MIICNjCCAZ8CAQAwgbwxJTAjBgkqhkiG9w0BCQEWFnNlcnZpY2VkZXNrQGR5bm9t

aWMubmwxEjAQBgNVBAcTCUJpbHRob3ZlbjEQMA4GA1UECBMHVXRyZWNodDELMAkG

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.

After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:

crypto ca import Verisign certificate

% The fully-qualified domain name in the certificate will be: xxx.domain.com

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIIDcTCCAtqgAwIBAgIQIHOwJ7acK6Fmibyhf67HlDANBgkqhkiG9w0BAQUFADC

MXN/DqZw504SdlIkm3K4Dt7kSa5NILlncBiPhJJPJRjcOk6wRB6vuGG85uz6twR

nq4BqbMitzpgxvK12hgS9ZDy62kC

-----END CERTIFICATE-----

quit

INFO: Certificate successfully imported

Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:

ssl trust-point thawte.com [interface]

Re: 3rd Party SSL cert on asa

litouch — Tue, 18 Jul 2006 05:59:13 GMT

HI,

I can see you said "Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)): ". What does this mean?

For example I want to apply for a certificate from Verisign, so which CA cert should I import? Where can I get that?

I tried to export a Root class3 from IE, and download one from verisign website, they all do not work.

Thank you.

Re: 3rd Party SSL cert on asa

r.vdoever — Tue, 18 Jul 2006 06:38:43 GMT

You should be able to download the certs from Verisign, if you're not sure which one to pick just ask Verisign.

Re: 3rd Party SSL cert on asa

litouch — Fri, 04 Aug 2006 23:54:47 GMT

Thank you, R.Vdoever. it works now on my case.

Re: 3rd Party SSL cert on asa

lus — Mon, 14 Aug 2006 07:19:15 GMT

Hi Ed, I'm installing now also WebVPN with a certificate from Thawte. Can you please send me a config example how you did that?

Thanks and regars

Lukas

Re: 3rd Party SSL cert on asa

litouch — Mon, 14 Aug 2006 09:47:43 GMT

Hi, Lukas,

I think the point is the CA certificate. You'd better to ask Thawte about which one is used for your certificate Thawte gave you.

Other steps are easy:

generate key pair -> add a trustpoint -> configure your trustpoint including editing your informatioin -> enroll your trustpoint -> then email your certificate request to Thawte to get your certificate -> get your certificate and then import it into ASA -> [authenticate your trustpoint using CA certificate as I told you above], actually this step can be done before the enrollment, I think -> Finanlly you will see your trustpoint has two "subject", also your ASA will have two certificate in "certificate mgmt", one is for your ASA, the other is for your CA(Thawte).

Oh, do not forget to configure ASA outside interface to use this trustpoint under "ssl".

Wish this can help you.

Re: 3rd Party SSL cert on asa

r.vdoever — Fri, 18 Aug 2006 10:41:35 GMT

Please look back in this thread, I described the procedure in an earlier message

Re: 3rd Party SSL cert on asa

r.vdoever — Fri, 18 Aug 2006 10:50:39 GMT

Please look at my earlier message in this thread.