Thanks for the reply Marvin.

Does that mean that my ASA will have two CA's listed?

You're welcome.

Only one certificate (issued by one CA) is used as the ASA's identity certificate. 

Hi Marvin and stuart.mackillop

Was yours trouble solved?

I have problem when I deploy Asa AnyConnect for my users.Can you help me solve it?

i have internal CA Server. Asa uses the CA certificate.

With windows machine users, after trust the CA, i can easily create certificate request file , import and issue it at CA server, and export that certificate to file and import it at the user machine. User can use anyconnect with Cert.

But with mobile device users (IOS and Android), i don't know how to create certificate for them.

Pls help me slove this or Do you have any recommendations for this?

Thanks

Many organizations prefer to administer user accounts from a central directory service.

One good reason for doing so is that there are then fewer touch points for adding and removing users - and presumably better chances that their account is removed when they are no longer with the company. They may have procedures and controls for doing so in place that allow them to better secure their infrastructure and meet regulatory or legal requirements.

If we use the ASA CA, it puts that burden on the ASA administrator. Depending on their background and the environment, they may have little or no certificate experience.

How does that work then, If the ASA issues the certificate, is it based on the Public CA that is used for the trustpoint? If the MCS issues, what is it based on, and how is the certificate then issued to the end user?

I have setup a certificate server on MS via third party, and it was a PITA to get working, and when something changed, it was another PITA to get resolved.

If we use the ASA CA, it issues certificates based on its own root. That's distinct from any public CA root that may have issued an identity certificate to the ASA.

If clients' certificates are issued from an internal server (e.g. Certificate Services running on Microsoft Windows server  or some other internally-managed PKI product) they can get those certificates via the ASA (proxying web enrollment via SCEP) or have them issued deployed using an enterprise software deployment scheme. In that case, the that PKI service's root certificate must be trusted by the client - again either via manual install or via pushing the settings out remotely.

In either case, the Windows server can revoke user certificates or delete users, as necessary.

Is there a doc with this setup for Anyconnect mobile using OnDemand for Jabber? Reason I'm asking is a customer wants to use AD for sending the certificates.

is this what you're looking for?

http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/guide_c07-717020.pdf

What I am looking for is the configuration guide on setting up the Microsoft portion. I have the ASA fully working and sending certs, but the end user who maintains the users, cannot get ASDM to load due to Java issues, and would rather do it all through AD instead.

I just dont know what key words to use to look for the correct docs.

I'd suggest raising a new topic then asking the question. However, you're probably looking for a microsoft document rather than a Cisco one. Then you're looking for a method to distribute your certificates to the client devices.

Spot on Marvin. explains exactly why I needed it.

I've now got my public SSL cert in place with no more annoying warnings. My internal certificates from my PKI infrastructure are working for authentication.

All seems pretty good except now I'm getting a FIPS error when the iPads connect. You fix one issue and then another appears. Thanks a lot for your help.