Limitation of ASA Local CA

Lam Hung Chung · ‎07-20-2011

Hi all,

We have an ASA 5520 using for VPN & would like make use ASA's local CA to manage certificate.

Do you know if there's any limitation on number of certificates that the local CA supports ?

Thank you,

Jennifer Halim · ‎07-20-2011

ASA Flash memory can store up to 3500 users, however if you require more than 3500 users, then external storage is required.

Here is URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1145073

Hope that helps.

Lam Hung Chung · ‎07-21-2011

Hi Jenni,

Thanks for the answer. Is the figure of 3500 based on 256MB flash memory which is the default flash on 5520 ?

Thank you,

Jennifer Halim · ‎07-21-2011

Yes, that is correct.

kbelachew · ‎08-17-2011

Jennifer,

Do you know if ASA supports local ca server for IPSec Remote Access VPN authentication? If so, could you please point me to a relevant configuration guide?

Thanks

Kebadu

Jennifer Halim · ‎08-18-2011

Yes, ASA supports local ca server for IPSec remote access VPN authentication.

Unfortunatley there is no specific sample configuration for IPSec remote access VPN authentication to ASA local CA server. However, yes, it is supported.

I would advise that you configure the ASA as a local CA server first. Here is the configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html

Here is a sample config for VPN Client using Microsoft CA certificate:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

Unfortunately there is no sample config for the ASA local CA, but the concept is the same based on the above 2 documents.

kbelachew · ‎08-18-2011

Jennifer, many thanks to your quick response. I will try to test it out using a spare asa we have and let you know the result.

Cheers!

Kebadu