Core issue

Digital certificates can be used to authenticate network devices and users on the network. They can be used to negotiate IPsec sessions between network nodes.The Cisco ASA can use pre-shared keys or digital certificates provided by a third-party Certificate Authority (CA) to authenticate IPsec connections.

Resolution

In order to configure the ASA with a certificate from the Microsoft CA server, refer to How to Obtain a Digital Certificate from a Microsoft Windows CA Server for more information on the procedures necessary to automatically obtain a digital certificate from a Microsoft CA for the ASA. It does not include the manual method of enrollment. This document uses the Adaptive Security Device Manager (ASDM) for the configuration steps, as well as presents the final command-line interface (CLI) configuration.

Refer to Enrolling and Managing Certificates in order to enroll the Cisco VPN Client for a certificate.

Note: Configure the correct date, time, and time zone on the Microsoft Windows machine. The use of the Network Time Protocol (NTP) is highly recommended but not necessary.

In order to convert VPN Clients with pre-shared keys to certificates on the Cisco ASA, refer to How to convert VPN Clients with pre-shared keys to certificates on the Cisco Adaptive Security Appliance (ASA) with software version 7.2.2