04-17-2017 09:21 AM - edited 02-21-2020 09:15 PM
Hi,
The user requesting a csr and send to ca and install in the certificate store ,
When anyconnect read the certificate ,how anyconnect verify the certifcate ?
What type of certifcate user has to request .
Please give step by step example from an internal ca
Thanks
04-17-2017 11:58 AM
What type of CA are you using to issue user certificates? In the case of Microsoft CA, you would have to use templates for users to be request certificates themselves via a webpage. For Anyconnect client certificates, the important thing to note is that you need a few attributes (EKU set to Client authentication for example) for the certificate to be used for SSL client certificate authentication.
A good guide to configuring your MS CA for Anyconnect is given here:
http://www.petenetlive.com/KB/Article/0001030
The ASA verifies that the user certificate has been issued by a CA it trusts - which means you would have to have the CA certificate of the MS CA installed on the ASA. It also does revocation check to see if the certificate provided by the user is valid. If you get all this right, the client should be able to authenticate with the ASA without any issues.
04-18-2017 11:01 AM
Hi,
I am getting certificate validation error when connecting anyconnect
Below is the information .
I have root ca and sub ca (microsoft internal ) ,
So i added both certificates under device management ->ca certificates (Two differnect trust points )
ROOT-CA
sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 29axxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RootCa
dc=testdom
dc=local
Subject Name:
cn=RootCa
dc=testdom
dc=local
Validity Date:
start date: 15:35:11 UTC Dec 24 2008
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint3------------------------------ROOT-CA
IDENTITY CERTIFICATE
Certificate
Status: Available
Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA512 with RSA Encryption
Issuer Name:
cn=testdom-INTCA
dc=testdom
dc=local
Subject Name:
cn=testdom-Internet-FW
CRL Distribution Points:
[1] ldap:///CN=testdom-INTCA,CN=CERSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
[2] http://CERSRV.testdom.local/CertEnroll/testdom-INTCA.crl
Validity Date:
start date: 11:33:48 UTC Apr 18 2017
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint2------identity certificate
-SUBORDINATE CA
CA Certificate
Status: Available
Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RootCa
dc=testdom
dc=local
Subject Name:
cn=testdom-INTCA
dc=testdom
dc=local
CRL Distribution Points:
[1] ldap:///CN=RootCa,CN=AD02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 16:04:06 UTC Jan 30 2017
end date: 15:29:35 UTC Jan 15 2019
Associated Trustpoints: ASDM_TrustPoint1-------------------SUBORDINATE CA
IDENTITY CERTIFICAT'S EKU set to Server Authentication (1.3.6.1.5.5.7.3.1)
and the user certificate eku set to client authentication
show crypto ca trustpoints
Trustpoint _SmartCallHome_ServerCA:
Not authenticated.
Trustpoint ASDM_TrustPoint0:
Not authenticated.
Trustpoint ASDM_TrustPoint1:
Subject Name:
cn=testdom-INTCA
dc=testdom
dc=local
Serial Number: 15xxxxxxxxxxxxxxxxxxx
Certificate configured.
Trustpoint ASDM_TrustPoint2:
Not authenticated.
(Q. Why it is not authenticated ? )
Trustpoint ASDM_TrustPoint3:
Subject Name:
cn=RootCa
dc=testdom
dc=local
Serial Number: 29xxxxxxxxxxxxxxxx
Certificate configured.
tunnel-group test webvpn-attributes
authentication aaa certificate
I have split domain testdom.local and testdom.com
so the user principal name is user1@testdom.com (not user1@testdom.local )
the certificate cn is user1@testdom.com
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide