Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2661
Views
0
Helpful
6
Replies

Purpose of Intermediate 1,2 root and server certificate

Go to solution
mahesh18
Level 6
Level 6

‎06-28-2016 08:07 PM

Hi Everyone,

I was trying to renew the cert on ASA and I got 4 certs from the vendor

Intermediate1 and 2

Root cert

Server Cert

Server cert is for ASA running as VPN what is purpose of other certs and where should I install them?

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-28-2016 08:22 PM

Hi Mahesh,

You need to install both the Intermediate and the root certificate under the CA certificates on the ASDM.

And the server certificate has to installed under the Identity certificate section.

After doing this you need to replace the old trustpoint with the new one on the ASA's SSL interface.

I have attached the screenshots as well.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

Preview file
46 KB
Preview file
90 KB
0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to mahesh18

‎06-28-2016 08:50 PM

Hi Mahesh,

There are two types of  (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.

If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).

To facilitate this process of verifying a «chain» of trust, every certificate includes the fields «Issued To» and «Issued By». An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.

Root CA certificates, on the other hand, are «Issued To» and «Issued By» themselves, so no further checking is possible or necessary in order to establish trust (or lack thereof).

For example, if a certificate issued to «example.com» and issued by «Intermediate CA1», and the visiting web browser trusts «Root CA», trust may be established in the following manner:

Certificate 1 - Issued To: example.com; Issued By: Intermediate CA 1
Certificate 2 - Issued To: Intermediate CA 1; Issued By: Intermediate CA 2
Certificate 3 - Issued To: Intermediate CA 2; Issued By: Intermediate CA 3
Certificate 4 - Issued To: Intermediate CA 3; Issued By: Root CA

The visiting web browser trusts «Root CA», and a secure connection can now be established. Since this process is often called «certificate chaining», intermediate CA certificates are sometimes called «chained certificates». For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities.

Installing an intermediate CA signed certificate on a web server or load balancer usually requires installing a bundle of certificates.

Digital certificates provide digital identification for authentication. A digital certificate includes information that identifies a device or user, such as the name, serial number, company, department, or IP address. CAs are trusted authorities that “sign” certificates to verify their authenticity, thereby guaranteeing the identity of the device or user. CAs issue digital certificates in the context of a PKI, which uses public-key or private-key encryption to ensure security. For authentication using digital certificates, at least one identity certificate and its issuing CA certificate must exist on an ASA. This configuration allows multiple identities, roots, and certificate hierarchies.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/access_certs.pdf

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Source--Wikipedia.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-28-2016 08:22 PM

Hi Mahesh,

You need to install both the Intermediate and the root certificate under the CA certificates on the ASDM.

And the server certificate has to installed under the Identity certificate section.

After doing this you need to replace the old trustpoint with the new one on the ASA's SSL interface.

I have attached the screenshots as well.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Preview file
46 KB
Preview file
90 KB
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Aditya Ganjoo

‎06-28-2016 08:34 PM

Hi Aditya,

If you can explain me purpose of each cert that will be much appreciated?

Regards

Mahesh

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to mahesh18

‎06-28-2016 08:50 PM

Hi Mahesh,

There are two types of  (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.

If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).

To facilitate this process of verifying a «chain» of trust, every certificate includes the fields «Issued To» and «Issued By». An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.

Root CA certificates, on the other hand, are «Issued To» and «Issued By» themselves, so no further checking is possible or necessary in order to establish trust (or lack thereof).

For example, if a certificate issued to «example.com» and issued by «Intermediate CA1», and the visiting web browser trusts «Root CA», trust may be established in the following manner:

Certificate 1 - Issued To: example.com; Issued By: Intermediate CA 1
Certificate 2 - Issued To: Intermediate CA 1; Issued By: Intermediate CA 2
Certificate 3 - Issued To: Intermediate CA 2; Issued By: Intermediate CA 3
Certificate 4 - Issued To: Intermediate CA 3; Issued By: Root CA

The visiting web browser trusts «Root CA», and a secure connection can now be established. Since this process is often called «certificate chaining», intermediate CA certificates are sometimes called «chained certificates». For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities.

Installing an intermediate CA signed certificate on a web server or load balancer usually requires installing a bundle of certificates.

Digital certificates provide digital identification for authentication. A digital certificate includes information that identifies a device or user, such as the name, serial number, company, department, or IP address. CAs are trusted authorities that “sign” certificates to verify their authenticity, thereby guaranteeing the identity of the device or user. CAs issue digital certificates in the context of a PKI, which uses public-key or private-key encryption to ensure security. For authentication using digital certificates, at least one identity certificate and its issuing CA certificate must exist on an ASA. This configuration allows multiple identities, roots, and certificate hierarchies.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/access_certs.pdf

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Source--Wikipedia.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Aditya Ganjoo

‎06-28-2016 08:59 PM

Many thanks Aditya.

Regards

MAhesh

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to mahesh18

‎06-28-2016 09:00 PM

Hi Mahesh,

Glad to assist.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
sharlino
Level 1
Level 1
In response to Aditya Ganjoo

‎03-31-2017 01:11 AM

Hello! Can you assist me with this, please ?

I have a RootCA, Intermediate1, Intermediate2 certificates.

An ASA does not permit installation of CA root and its intermediates into the same trustpoint (ASA says: ERROR: You must use 'no crypto ca trustpoint <trustpoint-name>' to delete the CA certificate first.). So, I have to install each of them into separate trustpoints. I have installed all of these certificates as follows:

RootCa into CA trustpoint

Intermediate1 into SubCA1 trustpoint

Intermediate2 into SubCA2 trustpoint

Here is the thing - I can use only one trustpoint per interface regards to ssl trust-point command. In case I have apply the SubCA2 trustpoint with immediate intermediate certificate to SSL VPN interface, how is a chain of trust get established ? Other trustpoints (CA and SubCA1) are not applied to any interface.

0 Helpful
Customers Also Viewed These Support Documents