05-01-2020 01:41 PM - edited 05-01-2020 01:42 PM
Hi,
I have site to site VPN connection between a Cisco CSR1000v to ASA, presently using pre-shared keys for authentication. I am planning to start using digital certificates (third party CA - digicert) instead of pre-shared keys. I am looking for a reference configuration or user-guide that could help me get started.
Here are some high level steps that I could think of to achieve this.
1. Install root CA certificate on the router & firewall (Q: For site to site VPN both router/firewall should have the same root CA certificate ?)
2. Create CSR (Certificate signing request) from the router, also create KeyPair on the CSR1000v
3. Submit the (Certificate signing request) to digitCert and get a signed ceritifcate.
3. Install the Signed Certificate on the router
4. Configuration changes to use a certificate instead of pre-shared keys.
Any feedback and help is much appreciated.
Solved! Go to Solution.
05-02-2020 01:45 AM
1. Install root CA certificate on the router & firewall (Q: For site to site VPN both router/firewall should have the same root CA certificate ?)
if one of the side is not managed by you and both side use different certificate in that case you both side need to
exchange the root/sub-ca in your ASA and CSRv. (vice-versa)
2. Create CSR (Certificate signing request) from the router, also create KeyPair on the CSR1000v
This link explain to to create a CSR request https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-ssl-services-module/63456-sslm-csr.html
3. Submit the (Certificate signing request) to digitCert and get a signed ceritifcate.
correct
3. Install the Signed Certificate on the router
once you submit the CSR to public authority give them few hours. they will process the request and give you the
identity certicate with root-ca/sub-ca
4. Configuration changes to use a certificate instead of pre-shared keys.
once you load the certificate on router/asa arrange the downtime.
05-01-2020 05:21 PM
05-02-2020 01:45 AM
1. Install root CA certificate on the router & firewall (Q: For site to site VPN both router/firewall should have the same root CA certificate ?)
if one of the side is not managed by you and both side use different certificate in that case you both side need to
exchange the root/sub-ca in your ASA and CSRv. (vice-versa)
2. Create CSR (Certificate signing request) from the router, also create KeyPair on the CSR1000v
This link explain to to create a CSR request https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-ssl-services-module/63456-sslm-csr.html
3. Submit the (Certificate signing request) to digitCert and get a signed ceritifcate.
correct
3. Install the Signed Certificate on the router
once you submit the CSR to public authority give them few hours. they will process the request and give you the
identity certicate with root-ca/sub-ca
4. Configuration changes to use a certificate instead of pre-shared keys.
once you load the certificate on router/asa arrange the downtime.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide