cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
229
Views
2
Helpful
2
Replies

Providing certificates for ASA SSL VPN Authentication

Crag Muer
Level 1
Level 1

I'd like to know if it's possible to give a remote client a certificate that they can import to use for SSL VPN authentication instead of having them generate the request and giving it to us to sign and hand back to them. Using an enrollment server in our current environment is not feasible and having as little user interaction on the client side is greatly needed.

1 Accepted Solution

Accepted Solutions

Crag Muer
Level 1
Level 1

In messing around with this a bit more I'm going to answer my own question here in case anyone is looking to do something similar.

As stated in the original question, our main requirement for this was to have as little end-user interaction as possible. Many of the clients we deal with are extremely weary of technology and even the mere mention of certificates is already too much. Our goal was to be able to provide a client with a single file they could double click and then use that for SSL VPN authentication.

So in order to do this, request a certificate with your CA, in our case a Windows Server running Microsoft certificate services, and then sign that certificate. Next you need to export that certificate with its private key included, so don't forget to make the private key exportable when you create the request. Next issue the certificate, but you can't simply export the issued certificate directly from certificate services. What you need to do first is export the certificate and then import it into the local certificate authorities certificate store (User/Machine - Personal Store). Then you can export it from there with the private key included and hand that single file to the client to double click and import into their certificate store.

View solution in original post

2 Replies 2

Crag Muer
Level 1
Level 1

In messing around with this a bit more I'm going to answer my own question here in case anyone is looking to do something similar.

As stated in the original question, our main requirement for this was to have as little end-user interaction as possible. Many of the clients we deal with are extremely weary of technology and even the mere mention of certificates is already too much. Our goal was to be able to provide a client with a single file they could double click and then use that for SSL VPN authentication.

So in order to do this, request a certificate with your CA, in our case a Windows Server running Microsoft certificate services, and then sign that certificate. Next you need to export that certificate with its private key included, so don't forget to make the private key exportable when you create the request. Next issue the certificate, but you can't simply export the issued certificate directly from certificate services. What you need to do first is export the certificate and then import it into the local certificate authorities certificate store (User/Machine - Personal Store). Then you can export it from there with the private key included and hand that single file to the client to double click and import into their certificate store.

If the endpoints are domain joined, you can push the certificates to them as part of joining the domain. In that case they will have zero interaction with anything.