Solved: Well nothing is entirely

Jason Boston · ‎10-08-2014

Hello all,

So I have an ASA set up with connection to a LDAP, a signed SSL certificate for the device cert and am using IPSEC IKEv2 VPN connections that are authenticated by X.509 certificates as well as LDAP username and password.

I have a Windows server 2012 Root CA server (offline state) and a Windows server 2012 Subordinate CA server. Both are 10-year Certification Authorities.

To generate the VPN certs I go to the Sub CA, go to certificates (local computer) > Personal > Right-click white space > All Tasks > Advanced Operations > Custom Request.

I configure my cert accordingly and enable private key export.

I submit new request to the Cert. Authority service on the Sub CA (same machine as before). I issue the certificate then export the certificate with the private key. I send this to my user, then they install this certificate in their Personal certificate store and have access to the VPN using this cert plus the username and password they were assigned (no there is no possibility for them to request from their own PC)

Question 1: Is there an easier way to do this? Command line? Script? pre-configured .ini file with certificate settings?

Question 2: These certificates are only 1-Year. How can I generate certificates that are longer than that. I'm hopping for 3 years.

Thanks!

_J

Marvin Rhoads · ‎10-08-2014

Well nothing is entirely simple setup-wise when you've chosen to go down the client certificate path. It's generally easier to use SCEP (Simple Certificate Enrollment Protocol) than to deploy certificates manually. There is a SCEP configuration example here.

There's also a good presentation (or several) from Cisco Live. I recommend you have a look at this one from 2012: Practical PKI for VPN.

In that presentation, it specifically shows you (slide 39) how to create a new certificate template and set the validity period to other than the default 1 year period.

View solution in original post

Marvin Rhoads · ‎10-08-2014

Well nothing is entirely simple setup-wise when you've chosen to go down the client certificate path. It's generally easier to use SCEP (Simple Certificate Enrollment Protocol) than to deploy certificates manually. There is a SCEP configuration example here.

There's also a good presentation (or several) from Cisco Live. I recommend you have a look at this one from 2012: Practical PKI for VPN.

In that presentation, it specifically shows you (slide 39) how to create a new certificate template and set the validity period to other than the default 1 year period.

Jason Boston · ‎10-09-2014

Thanks for the reply Marvin.

Unfortunately I understand that SCEP and and certificate templates are only available in an "Enterprice CA" and not on a "Stand-alone CA" which I am running. I had a quick look at the difference between the 2 and it seems there is not much different other than the ability to have these 2 things and the users' computers automatically trust the CA as opposed to creating a group policy to trust the CA.

For anyone else interested: Enterprise CA Vs. Stand-Alone CA

So I think I'm going to have to look into converting or replacing my setup with an Enterprise one and see how it works.

Thanks again,

_J

Marvin Rhoads · ‎10-09-2014

You're welcome.

Please take a moment and rate my reply and/or mark the question as answered if you feel it has been.

Good luck with the enterprise CA.

Requesting/Issuing user certificates for IPSEC VPN