Solved: Certificate based AnyConnect and VPN's to ASA

paul snoep · ‎07-30-2014

Hi,

The question below seems hard to get answered, who can help? ASA release 9.2/9.3

Thanks

All the abundantly available documentation mentions [=>] specific key usages and extended key usages, which fields need to be filled , however documentation contradicts. We would like to have a clear overview (table?) which usages need to be filled in the key usage and extended key usage for both SSL client certificate as SSL server certificate.

Additionally, what other requirements must be filled to enable a secure certificate based connection? (SHA2 requirements, f.e.)

Peter Davis · ‎08-11-2014

The requirements apply to server certificates, not client certificates.

The valid usage checks ensure that the extended key usage (EKU) and key usage (KU) fields of the certificate contains correct usages for server certificates depending on the connection protocol.

For SSL, if EKU is specified then it must contain ServerAuth and if KU is specified then it must contain digitalSignature and either keyEncipherment or keyAgreement.

For IPsec, if EKU is specified then it must contain either ServerAuth or IkeIntermediate and if KU is specified then it must contain digitalSignature and either keyEncipherment or keyAgreement.

Absence of either KU or EKU or both is considered valid.

Best Regards,

Pete Davis

Product Manager, Cisco AnyConnect

ac-mobile-feedback@cisco.com

View solution in original post

hcaldwel · ‎08-07-2014

Hi Paul -

Apologies for the delay. I had to track down some information from our Security team. Here's what I got back. Let me know if you have any follow-on questions:

Try this section in the Managing Authentication chapter: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac11authenticate.html#53541

Most of the AnyConnect documentation is about configuring how AnyConnect chooses certificates from the platform for use, not setting up certificates on the platform.

From the ASA side check the ASA VPN Configuration Manuals for the correct ASA release being used: http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

Also, here is an interesting write up which might contain some applicable specifics http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-ac-ikev2-ca-00.html off the Troubleshooting TechNotes page (http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-tech-notes-list.html )

* As a CCP member, make sure you are subscribed to all boards (discussions, documents, blogs, videos, and events so you always get the latest information from the program.

paul snoep · ‎08-08-2014

Hi Heatther,

Thanks sofar, I will have to read those and assemble the replies for the collegues who need this information. I will get back to you either with more questiions or to mark this as the correct answer.

Cheers

Paul

paul snoep · ‎08-11-2014

Hi Heather,

The first link is not related to the question, unfortunately. The question is not how to setup the certificates, it is about certificate requirements: what fields need to be used? The second link shows examples, which we have found also. Due to the massive amount of information, release dependent, we already found that article too, however got lost in the amount of information.

The last link provides some information about EKU, however they seem to handle IPSEC, while we will be using SSL VPN

We just want to know/read/understand if these are all EKU requirements and what other (E)KU requirements exist, by name, by explanation.

It all seemed an easy question?