10-06-2011 04:56 AM
**Any thoughts on whether this should have been posted in a different security thread?
I've tried to piece this together with SSL Remote Access VPNS, Understanding PKI and the Cisco's ASA 5500 Series Chapter 73 Configuring Digital Certificates, but still need help.
Below is a basic config I use to create the CA and ID certs on ASAs. I use the ASA as the CA server. When I export the SSL trust point it doesn't show chaining from the CA. Since there is no chaining when I load the CA certificate in the Root Store I still an SSL Certificate error. Instead I have to load the SSL Trustpoint Certificate. Please take a look and let me know where where my problem exists.
CREATE CA
crypto ca server
smtp from-address admin@Cisco.local
lifetime ca 3650
lifetime certificate 3650
lifetime crl 24
keysize 2048
keysize server 2048
no shutdown passphrase 123456789
CREATE SSL ID TRUSTPOINT
crypto ca trustpoint Identity_Certificate
keypair LOCAL-CA-SERVER
id-usage ssl-ipsec
no fqdn
subject-name CN=192.168.40.1,OU=SSL_ANYCONNECT_VPN <--This would be my headend IP
enrollment self
ENROLL TRUSTPOINT
crypto ca enroll Identity_Certificate
answer NO to include the device serial number
SET VPN TRUSTPOINT ON OUTSIDE INTERFACE
ssl trust-point Identity_Certificate outside
I originally thought it was a problem with enrollment self in the trustpoint, but I cannot figure out the steps to complete enrollment terminal.
I got to the steps of crypto ca enroll Identity_Certificate and displayed the certificate request. At that point the sh crypto ca trustpoint Identity_Certificate is pending enrollment. I can not find the command for the CA that allows trustpoint enrollment. If I try to crypto ca export Identity_Cetificate identity-certificateit says trustpoint not enrolled. Of course if I take the enrollment request and attempt to crypto ca import Identity_Certificate certificate it fails because it's not the cert.
Newt
Solved! Go to Solution.
10-13-2011 02:31 AM
Newt,
This is the correct forum, and what you observe is normal. The Local CA is not designed to generate an identity certificate for the ASA itself. The ASA will need to have it's own identity/SSL certificate, which can be either a self-signed one (like you are doing with enrollment self - in this case you need to import the self-signed cert on the clients to avoid certificate warnings) or a certificate issued by a trusted third party (e.g. Verisign, Globalsign, etc.).
hth
Herbert
10-13-2011 02:31 AM
Newt,
This is the correct forum, and what you observe is normal. The Local CA is not designed to generate an identity certificate for the ASA itself. The ASA will need to have it's own identity/SSL certificate, which can be either a self-signed one (like you are doing with enrollment self - in this case you need to import the self-signed cert on the clients to avoid certificate warnings) or a certificate issued by a trusted third party (e.g. Verisign, Globalsign, etc.).
hth
Herbert
10-20-2011 06:50 AM
Herbert,
I appreciate the reponse! So it is not possible to provide chaining from the Local CA to the Identity Certificate.
10-20-2011 06:57 AM
Well, officially, no.
Unofficially (pretend for a moment that you don't see the Cisco logo beneath my name :)) you may get it to work by requesting a certificate on a client (on behalf of the ASA, so using the ASA hostname as the "username" for the certificate), then converting it to base64 format (using OpenSSL for example), then importing it on the ASA.
This would not be something that is supported by Cisco though.
hth
Herbert
12-17-2013 12:56 PM
Herbert,
I really appreciate your reply; I'v been crazy, 2 days thinking about the same issue..
but you sloved it
thank you
mahdi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide