03-29-2019 07:01 AM
I get this message now when I add a new user for in the local CA server. Is Cisco removing the local CA server completely from the 5506-X?? WHY?
03-29-2019 01:47 PM - edited 03-29-2019 02:33 PM
Yes you are correct as per 9.12 release notes.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/release/notes/asarn912.pdf
10-14-2019 05:04 AM
Hi,
The 9.12 release notes states that "This feature has become obsolete...". Is there another feature replacing it?
I'm running a Local CA server and issue certificates for devices that connect to VPN. This adds a layer of security since a valid certificate besides a password is required to be able to connect to the VPN service. Is there another way of doing this in the future if ASAs will no longer have the Local CA feature?
10-14-2019 07:54 AM
10-14-2019 11:37 PM
Hi,
Thanks for your response. Can you please point me to some documentation on how to configure the user certificates on the ASA if they are from a public CA? Until now I always issued the user certificates from the ASA's local CA.
As I mentioned before, we use both a valid user certificate and a valid username\password combo to authenticate AnyConnect VPN clients.
10-15-2019 12:29 AM
here is the guide for PKI :
10-15-2019 12:40 AM
10-15-2019 04:53 AM
The document provide you to generate Certifiace from Public CA and install on ASA for the users to use.
04-28-2020 06:24 AM
Hi,
We are also using the local CA server at present. I understand that once it's gone we won't be able to issue new certificates, but does anyone know if it will also render current certificates invalid? My assumption is that it will as there will be no CA to validate the certificates against.
I know it's probably a bit of a stab in the dark but does anyone have any guesses as to when Cisco are likely to remove CA server completely, i.e. how much time do I realistically have to implement an alternative?
Many thanks,
Mark
04-28-2020 07:03 AM
As long as the client still trusts the CA then the issued certificates will remain valid, (as long as they are in date, and not on a revoke list).
As for when it will be retired - who knows :(
11-08-2019 06:21 AM
Pete
11-21-2019 02:12 AM
Hi. Great video! I think there's some misunderstanding in this thread though.
Our ASA has a certificate from a public CA, that's not the problem.
Remote AnyConnect client software (mobile and laptops) connect to our ASA via IPSec tunnel and are required to have a valid username\password combination AND A VALID USER CERTIFICATE. This user certificate (which is installed on the clients both mobile devices and laptops) is issued by the ASA's Local CA by adding a user, see the attached pic. If I start issuing certs to my users from a public CA will the ASA accept the certificate?
Thanks,
11-21-2019 03:41 AM
11-21-2019 03:45 AM
At present you have a public signed Cert on the ASA, and privately signed certs for your users, from ASA CA
If you switch to
Publicly signed certificate on the ASA and privately signed certificates from Windows CA
Then nothing changes with your public cert, leave it where it is its fine.
You simply need to
1. Issue user certs to your users (Auto enrolment will do that for you)
2. Import the Root CA cert from your Windows CA onto the ASA and it will trust your user certs.
Pete
11-21-2019 04:19 AM
The answer I've been looking for! Thank you so much, I have been avoiding software updates on the ASA because of this. Now I can go ahead (after making a proper CA) :D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide