01-13-2016 06:45 AM
I am a beginner of ASA anyconnect setup. I look into some designs and found several certificates in configuration of ASA from ASDM. Does anyone explain to me what is the difference between identity certificate and CA certificate? How to use both kind of certificate during anyconnect vpn setup.
thanks.
Martin
01-13-2016 03:10 PM
Hi Martin,
The CA certificates states for Certificate authority certificates, and are commonly used when you have certificate authentication enabled. On this Section we can install any intermediate certificate as well.
The identity certificate are normally used for SSL identity purposes on the ASA.
Example:
https://supportforums.cisco.com/document/12524871/install-certificate-asa
Hope it helps
-Randy-
01-13-2016 04:40 PM
Thanks for your reply, Randy.
Through looking into existing deployment of anyconnect, as I understand that CA certificate is used for client authentication. ASA and anyconnect client have the certificates which are issued by the same Certificate authority so that anyconnect client and ASA could trust each other.
Please correct me if i have any misunderstanding for it.
But i still am a little confused that how identity certificates work. I could see that identity certificates always are binding to the interface which is to receive ssl vpn connection request.
01-14-2016 08:00 AM
Hi Martin,
You are right, the CA certificates are used for certificates authentication. See an example below:
https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication
The Identity certificates are attached to the interface with the purpose to make the ASA a trusted server, for example if you have an identity certificate with the CN vpn.cisco.com the Anyconnect users needs to type that domain to connect and avoid any pop-up of untrusted connections. I hope that answer your question.
Cheers,
-Randy-
01-15-2016 12:58 AM
Hi Randy,
If I do not use certificate authentication for anyconnect client, do i have to install certificate and bind to the interface?
It seems that pop-up of untrusted connections is a bug for specific anyconnect version from previous discussions below.
https://supportforums.cisco.com/discussion/12328761/cisco-anyconnecthow-hide-security-warning-untrusted-certificate
https://supportforums.cisco.com/document/12507066/security-warning-untrusted-certificate-when-trying-connect-asa-using-anyconnect
br,
Martin
01-15-2016 04:37 PM
Hi Martin,
Is not a bug , is the way the certificates works, certificates function similarly to identification cards such as passports. For example, passports are issued by recognized government authorities, whereas digital certificates are issued by recognized certification authorities (CAs). The ASA is not a Certificate authority, hence if you try to connect to the ASA without a certificate previously installed is expected to get the pop-up of "untrusted connections.".
Actually what you are doing when you install the certificate on the ASA, is making this unit a trusted device.
Cheers,
-Randy,
08-31-2016 08:18 AM
Hi,
I happen to read this post and I have some additional question. Does the ASA need both 1) Identity cert and 2) CA cert for VPN to function?
regards,
Kelvin
09-01-2016 09:55 AM
Kelvin
I do not want to be overly picky but do want to be very careful in answering your question, especially if the crux of your question is about the VPN functioning. This discussion is about setting up the ASA for the AnyConnect client for Remote Access VPN. AnyConnect VPN will function without a CA cert and Identity cert by having the ASA generate a self signed cert. So the CA cert and Identity cert are not required for the VPN to function. But if you run AnyConnect with the self signed cert then each time the user initiates the VPN they will receive a warning message about an untrusted server. If we want to avoid having that warning message then we need to install the CA cert and the Identity cert.
HTH
Rick
09-01-2016 05:53 PM
Thanks for the clear explanation Rick!
09-01-2016 08:05 PM
You are welcome.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide