Solved: SSL ID Certificates not chaining to CA

newtwork1 · ‎10-06-2011

**Any thoughts on whether this should have been posted in a different security thread?

I've tried to piece this together with SSL Remote Access VPNS, Understanding PKI and the Cisco's ASA 5500 Series Chapter 73 Configuring Digital Certificates, but still need help.

Below is a basic config I use to create the CA and ID certs on ASAs. I use the ASA as the CA server. When I export the SSL trust point it doesn't show chaining from the CA. Since there is no chaining when I load the CA certificate in the Root Store I still an SSL Certificate error. Instead I have to load the SSL Trustpoint Certificate. Please take a look and let me know where where my problem exists.

CREATE CA

crypto ca server

smtp from-address admin@Cisco.local

lifetime ca 3650

lifetime certificate 3650

lifetime crl 24

keysize 2048

keysize server 2048

no shutdown passphrase 123456789

CREATE SSL ID TRUSTPOINT

crypto ca trustpoint Identity_Certificate

keypair LOCAL-CA-SERVER

id-usage ssl-ipsec

no fqdn

subject-name CN=192.168.40.1,OU=SSL_ANYCONNECT_VPN <--This would be my headend IP

enrollment self

ENROLL TRUSTPOINT

crypto ca enroll Identity_Certificate

answer NO to include the device serial number

SET VPN TRUSTPOINT ON OUTSIDE INTERFACE

ssl trust-point Identity_Certificate outside

I originally thought it was a problem with enrollment self in the trustpoint, but I cannot figure out the steps to complete enrollment terminal.

I got to the steps of crypto ca enroll Identity_Certificate and displayed the certificate request. At that point the sh crypto ca trustpoint Identity_Certificate is pending enrollment. I can not find the command for the CA that allows trustpoint enrollment. If I try to crypto ca export Identity_Cetificate identity-certificateit says trustpoint not enrolled. Of course if I take the enrollment request and attempt to crypto ca import Identity_Certificate certificate it fails because it's not the cert.

Newt

Herbert Baerten · ‎10-13-2011

Newt,

This is the correct forum, and what you observe is normal. The Local CA is not designed to generate an identity certificate for the ASA itself. The ASA will need to have it's own identity/SSL certificate, which can be either a self-signed one (like you are doing with enrollment self - in this case you need to import the self-signed cert on the clients to avoid certificate warnings) or a certificate issued by a trusted third party (e.g. Verisign, Globalsign, etc.).

hth

Herbert

View solution in original post

Herbert Baerten · ‎10-13-2011

Newt,

This is the correct forum, and what you observe is normal. The Local CA is not designed to generate an identity certificate for the ASA itself. The ASA will need to have it's own identity/SSL certificate, which can be either a self-signed one (like you are doing with enrollment self - in this case you need to import the self-signed cert on the clients to avoid certificate warnings) or a certificate issued by a trusted third party (e.g. Verisign, Globalsign, etc.).

hth

Herbert

newtwork1 · ‎10-20-2011

Herbert,

I appreciate the reponse! So it is not possible to provide chaining from the Local CA to the Identity Certificate.

Herbert Baerten · ‎10-20-2011

Well, officially, no.

Unofficially (pretend for a moment that you don't see the Cisco logo beneath my name :)) you may get it to work by requesting a certificate on a client (on behalf of the ASA, so using the ASA hostname as the "username" for the certificate), then converting it to base64 format (using OpenSSL for example), then importing it on the ASA.

This would not be something that is supported by Cisco though.

hth

Herbert

sharbati.mahdi · ‎12-17-2013

Herbert,

I really appreciate your reply; I'v been crazy, 2 days thinking about the same issue..

but you sloved it

thank you

mahdi