Showing results for 
Search instead for 
Did you mean: 

How to convert VPN Clients with pre-shared keys to certificates on the Cisco Adaptive Security Appliance (ASA) with software version 7.2.2


Core issue

Sometimes a user is unable to enroll certificates on the Cisco ASA or VPN Client with a Microsoft Certificate Authority (CA) server that requires a challenge phrase.


In order to convert from the pre-shared key to certificates, complete these steps:

  1. Set up the trust point on the ASA.  Refer to Configuring Certificates for more information.

  2. Ensure that you have an ISAKMP policy that matches this:

    hostname(config)#isakmp policy 1 authentication rsa-sig
    hostname(config)#isakmp policy 1 encryption 3des
    hostname(config)#isakmp policy 1 hash sha
    hostname(config)#isakmp policy 1 group 2

  3. Remove the ipsec-attributes pre-shared-key of the tunnel group and replace it with trust-point trustPointName.  Refer to Enrolling and Managing Certificates for details on how to install the certificate on the VPN Client.

    The security mechanisms with certificates require the remote user to initiate the request. But, you can respond manually to the requests and send back the response.

    Refer to the Enrolling Through a File Request section of Enrolling and Managing Certificates for details on how this can be done from the user perspective.

Refer to the About Revocation Checking section of Configuring Certificates for more information on how to set up and test the CRL.

Refer to Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1 for more information.

Content for Community-Ad