Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1168
Views
10
Helpful
2
Replies

CSR1000v to ASA Certificate based authentication

Go to solution
gary391
Level 1
Level 1

‎05-01-2020 01:41 PM - edited ‎05-01-2020 01:42 PM

Hi, 

 

I have site to site VPN connection between a Cisco CSR1000v to ASA, presently using pre-shared keys for authentication.  I am planning to start using digital certificates (third party CA - digicert) instead of pre-shared keys. I am looking for a reference configuration or user-guide that could help me get started. 

 

Here are some high level steps that I could think of to achieve this. 

 

1. Install root CA certificate on the router & firewall (Q: For site to site VPN both router/firewall should have the same root CA certificate ?)

2. Create CSR (Certificate signing request) from the router, also create KeyPair on the CSR1000v 

3. Submit the (Certificate signing request) to digitCert and get a signed ceritifcate. 

3. Install the Signed Certificate on the router 

4. Configuration changes to use a certificate instead of pre-shared keys. 

 

Any feedback and help is much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎05-02-2020 01:45 AM

1. Install root CA certificate on the router & firewall (Q: For site to site VPN both router/firewall should have the same root CA certificate ?)

 

if one of the side is not managed by you and both side use different certificate in that case you both side need to
exchange the root/sub-ca in your ASA and CSRv. (vice-versa)


2. Create CSR (Certificate signing request) from the router, also create KeyPair on the CSR1000v

This link explain to to create a CSR request https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-ssl-services-module/63456-sslm-csr.html

 

3. Submit the (Certificate signing request) to digitCert and get a signed ceritifcate.
    correct

 

3. Install the Signed Certificate on the router
    once you submit the CSR to public authority give them few hours. they will process the request and give you the
identity certicate with root-ca/sub-ca

 

4. Configuration changes to use a certificate instead of pre-shared keys.
    once you load the certificate on router/asa arrange the downtime.

 

Once a certificate has been generated and installed into a device it is possible to export the whole certificate chain and private key pair for storage in a secure location.  It is important to backup up identity certificates in case of device failure.
 
 
 
here some link will help you.
 
 
please do not forget to rate.

View solution in original post

2 Replies 2

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎05-01-2020 05:21 PM

You don't need to have same root ca at both side. Just have a valid cert
chain. Also make sure that the cn in each cert matches the fqdn of the
device. Also, use the fqdn as the vpn peer address instead of IP.

**** please remember to rate useful

Go to solution
Sheraz.Salim
VIP
VIP

‎05-02-2020 01:45 AM

1. Install root CA certificate on the router & firewall (Q: For site to site VPN both router/firewall should have the same root CA certificate ?)

 

if one of the side is not managed by you and both side use different certificate in that case you both side need to
exchange the root/sub-ca in your ASA and CSRv. (vice-versa)


2. Create CSR (Certificate signing request) from the router, also create KeyPair on the CSR1000v

This link explain to to create a CSR request https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-ssl-services-module/63456-sslm-csr.html

 

3. Submit the (Certificate signing request) to digitCert and get a signed ceritifcate.
    correct

 

3. Install the Signed Certificate on the router
    once you submit the CSR to public authority give them few hours. they will process the request and give you the
identity certicate with root-ca/sub-ca

 

4. Configuration changes to use a certificate instead of pre-shared keys.
    once you load the certificate on router/asa arrange the downtime.

 

Once a certificate has been generated and installed into a device it is possible to export the whole certificate chain and private key pair for storage in a secure location.  It is important to backup up identity certificates in case of device failure.
 
 
 
here some link will help you.
 
 
please do not forget to rate.
Customers Also Viewed These Support Documents