Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
5
Helpful
1
Replies

Anyconnect client and local authority certificate

Ruterford
Level 1
Level 1

‎09-21-2011 04:15 PM - edited ‎02-21-2020 05:36 PM

Hi All, I need some help with ASA 5510 configuration for Csco anyconnect vpn client. Currently ASA is configured for self-signed certificate acces thru anyconnect ssl vpn. So the cert is being generated with every connection (of my understanding, I haven't found any identity certificate on the current configuration, at least on ASDM). Now I need to use a certificate from our local windows CA that we have at the office. I.e. self-signed certs should be changed with another one issued by our local office authority.

I did following: 

1. Generated new rsa key pair on the ASA

2. Generated CSR from identity certificates

3. Applied CSR to the windows CA and generated the certificate

Now I need to understand what is going to happen after I install this certificate on the ASA's identity certificates and apply it to outside interface.

Is there anything to be done on the users side to use new certificate?

Do they need to download and install the root certificate from the same CA?

Do i need to have the root certificate installed on the ASA or identity is enough?

Just need to clarify my next steps, sorry don't have much experience with CA and SSL vpn clients. Thanks!

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-22-2011 05:01 AM

Here is a sample configuration to generate/upload a third party certificate (in your case Micorosoft certificate) to ASA for AnyConnect:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

To answer your question:

Is there anything to be done on the users side to use new certificate? No, they will be presented with a new certificate when they connect to the AnyConnect, and all they need to do is to accept the new certificate.

Do they need to download and install the root certificate from the same CA? No, if it's Microsoft CA server, typically browser comes with well known third party certificate, and Microsoft Root should be included already. Otherwise, when they are presented with a new certificate, they can store it in the Certificate store.

Do i need to have the root certificate installed on the ASA or identity is enough? You would need both, root and identity certificate.

Customers Also Viewed These Support Documents