Clientless SSL-VPN using self-signed certificate

mile.ljepojevic · ‎01-10-2011

I need to have single-click authentication for clientless ssl vpn.

get web page where group alias is visible and click login. No username, no pass. Something similar as it is using PEAP on Wireless.

I tried to generate self sign identity certificate and SSH keypair. It worked. I configured group policy to use certificate only authentication. It worked.

At the end, I configured

ssl trust-point SSL-TP outside

trust point is the using prevously generated identity certificate.

And here problems begin.

I can export that certificate as PKCS12 file, using password. When I try to import that same certificate in Windows 7, it reports that pass is not good (I am 100% sure that it is).

I know that I am doing something wrong, but I do not know what. Is this even doable? If not with self-signed, how then? I have request literaly just to click to login and it should work. When I choose certificate base authentication, I get thet (no username/pass fields of web form) but always get report that certificate is invalid, or something.

Thank you a lot

rahgovin · ‎01-10-2011

Hi,

From what I understand, you are trying to do client certificate authentication for ssl vpn. For this, it is preferable to use a single internal CA server( Microsoft) and issue certificates to the ASA and the clients(if you are already using wireless authentication, you should already have them issued to the client)

Which pkcs12 certificate are you trying to import to the Windows 7 box ?