Re: Two Certificate Authorities, One Identity Certificate

janiax · ‎01-03-2018

Hello,

I need to correctly establish the "SSL trust" for two different domains on a single ASA.
My goal is to use SSL AnyConnect VPN with certificate authentication without security warnings.

Two different certificate authorities are used:

CA-CompanyDivision-A, domain company.division.a.com
CA-CompanyDivision-B, domain company.division.b.com

Employees from Division-A have only installed root certificate from CA-CompanyDivision-A.
Employees from Division-B have only installed root certificate from CA-CompanyDivision-B.

The ASA's identity certificate is signed by CA-CompanyDivision-A.

Since the employees from Division-B have only installed root certificate of CA-CompanyDivision-B, they will receive security warning as they don't have installed root certificate of CA-CompanyDivision-A, therefore they don't trust the root certificate of CA-CompanyDivision-A.

Is there any way to configure this scenario that the employees from Division-B would trust the ASA's identity certificate without the need to install root certificate of CA-CompanyDivision-A on them?

Many thanks.

Marvin Rhoads · ‎01-03-2018

I don't think you can do what you're asking. The Division B employees would have to trust the issuing CA somehow or another. An ASA can only have a single active identity certificate.

Most commonly we would use a public CA that's trusted by the client OS (and/or is in Firefox's browser store since it doesn't use the OS' certificate store).

If that's not possible then you could push the Division A certificate as a trusted root CA to the Division B computers using a Active Directory (AD) Group Policy Object (GPO). Of course that's assuming an AD environment and Windows PCs.

janiax · ‎01-03-2018

Hello Marvin,

thank you for your answer.

The problem is that the identity certificate is issued by the internal certificate authority - CA-CompanyDivision-A, therefore employees from Division-B have to somehow trust CA-CompanyDivision-A root certificate. And as this identity certificate is not issued by a well-known PKI player, this might be an issue.

Is there any way to push the CA-CompanyDivision-B root certificate on the trustpoint that represents the identity certificate, which was issued by CA-CompanyDivision-A?

Is there any way to chain CA-CompanyDivision-B root certificate and the identity certificate that was issued by CA-CompanyDivision-A?

I highly doubt that, but I would like to ask you anyway.

Many thanks!

Mohammed al Baqari · ‎01-04-2018

The only way to do that is to have a root CA such as ComanyCA. Then have
two intermediate CAs Company-A-CA and Company-B-CA where they have their CA
certs signed by CompanyCA. Then you issue CompanyA-Cert from Company-A-CA
and CompanB-Cert by Company-B-CA. In this case you need to have the chain
in the trust root store and asa identity certificate will be trusted if its
issued by ConpanyCA.

janiax · ‎01-04-2018

Hello Mohammed,

yeah, I thought so. Unfortunately, CA-CompanyDivision-B is not the subordinate certificate authority of CA-CompanyDivision-A.

It is an existing solution that now somehow works and I need to figure out how does it work since I will need to migrate the current configuration to new hardware. I'll just discuss this with the customer.

Many thanks for your time.

Cheers,

Jan