cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4217
Views
0
Helpful
14
Replies

Can you configure ASA as CA for client certs?

baskervi
Level 1
Level 1

I have a client that doesn't have an internal CA but wants to use client certificates for their VPN tunnels. Has anyone attempted to use the ASA to generate these certificates? I haven't found any articles that state whether or not this can be done, but given the ASA can generate certificates for itself, I thought this might be possible.

Thanks

14 Replies 14

Hi,

The ASA 8.x has the local CA capability which is a basic level of CA provisioning which will work for VPN clients.

Althought not a cisco link, check here:

http://blog.ipexpert.com/2010/07/28/asa-local-ca-server/

Federico.

Just to note I think that Cisco actually supports the local CA on the ASA for SSL clients (not IPsec).

Federico.

Thanks for the info. I also found http://www.networkworld.com/community/blog/how-guide-cisco-asa-sslvpn-using-certificates

since I posted originally. Within the ASDM, I'm to the point where I created a local CA server, but when I go to manage user database under the local certficiate authority, the GUI states "Local Certificate Authority Server should be enabled at least once before adding a user." The enable radio button under the Local Certificate Authority | CA Server is selected. I'm at a loss here.

You may be correct regarding the certificates only being valid under the SSL vpn, but on the IPSec client, there are some certificate settings. I still have hope.

I guess technically the local CA can be used for IPsec VPN users.

However I think that Cisco provides only support for SSL VPN users when using the local CA (I guess there were not meant to work together).

You might need to erase the local CA (from CLI) and recreate it via ASDM.

Federico.

I'm getting closer. Removing the old cert created via CLI and recreated it with ASDM, so I can create users now. I do receive the email for enrollment, and this is what is provided:

You have been granted access to enroll for a certificate.

The credentials below can be used to obtain your certificate.

   Username: testuser4
   One-time Password: 90FD09B3015AFD90
   Enrollment is allowed until: 11:47:08 CST Fri Dec 10 2010

NOTE: The one-time password is also used as the passphrase to unlock the
certificate file.

Please visit the following site to obtain your certificate:

https://mobilefirewall.domain.com/+CSCOCA+/enroll.html

I go to this website only to get

The webpage cannot be found

I've recreated everything from scratch, but to no avail.

Do you access the ASA using ip address or domain name?

Can you check up if your fqdn is accessible from a browser? I mean https://mobilefirewall.domain.com

I've tried both, and both give the same error.

If https://mobilefirewall.domain.com itself fails then your fqdn itself is wrong or the https port is wrong. Only if you can reach that url , will you be able to reach the CA cert url. So I would check your domain and ssl settings.

I am prompted because of a certificate error, so I am connected to the firewall. It's not until after I accept the certificate issue (because it's self signed) do I get the page can't be displayed. Is the port used by the CA different from the one used by the ASDM?

No it should be the same ssl port. Could you try the URL from a different browser. Also try disabling the CA server and enabling it again. Also you can run an ssl capture on your PC to see where the ssl handshake is failing there.

I had completely deleted all SSL configuration, rebooted the ASA, and reapplied the configuration, and I kept getting the same error. I noticed this morning that when I click the link https://domain.priceedwards.com/+CSCOCA+/enroll.html, I was being redirected to https://mobilefirewall.domain.com/admin/+CSCOCA+/enroll.html. I did this multiple times on two different browsers. I flushed my browser history, and now I don't get a redirect and the website pulls up, so I'm now able to install the certificate properly.

I've created an entry in the VPN client, and now I get the following:

19     17:51:55.063  12/08/10  Sev=Warning/3 IKE/0xE300007C
Failed to verify signature

20     17:51:55.063  12/08/10  Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)

21     17:51:55.064  12/08/10  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)

Here's the relevant part of the configuration, but there is obviously a problem in here.

ip local pool IPPool 192.168.200.1-192.168.200.15 mask 255.255.255.240
...
dynamic-access-policy-record DfltAccessPolicy
...
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set 3DES-SHA
crypto map COMPANY-VPN 1000 ipsec-isakmp dynamic dynmap
crypto map COMPANY-VPN interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=mobilefirewall
keypair LOCAL-CA-SERVER
proxy-ldc-issuer
crl configure
crypto ca server
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
    3082022d 30820196 a0030201 02020101 300d0609 2a864886 f70d0101 04050030
...
    c2acfb39 cd67c558 ce64d555 99ae3057 47
  quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 15a0fe4c
    3082026e 308201d7 a0030201 02020415 a0fe4c30 0d06092a 864886f7 0d010104
...
    c5c0e340 26a803a1 7a0be18d db014f97 1945
  quit
crypto isakmp enable outside
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
group-policy defaultgroup internal
group-policy defaultgroup attributes
default-domain value domain.com
...
tunnel-group DefaultRAGroup general-attributes
address-pool IPPool
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint0

Does anyone see a problem? Thanks very much.

ASA as local CA server is not supported for IPsec vpn but only for ssl vpn.

Do you know if you can use public certificates for IPSec VPN?

For IPsec VPN normally what you do is to have a Microsoft Server 2003 CA server handling the certificates (or another CA).

Federico.