Solved: Trusted SSL certificate on VPN Remote Access

gbnickerson · ‎09-03-2019

I have VPN Remote Access setup and working on our Firepower 4110, version 6.2.3.3 but I am now trying to install an SSL certificate for this Remote Access setup so that my users do not get SSL errors when trying to connect and use the AnyConnect client software. I have generated a CSR and submitted that to my CA for a cert, but cannot find how to get this properly imported into the Firepower and assigned to the VPN Remote Access interface.

Does anyone have step-by-step setup instructions for this process? I have tried creating certificates in Objects>PKI>Cert Enrollment using the "manual" process, but those don't seem to be available to assign to the Remote Access interface.

I have also tried "adding" the CA generated (GoDaddy) certificate in Devices>Certificates but the certificate shows "failed to configure CA certificate" error with a red X by the CA icon.

Any help would be appreciated.

Gary Nickerson

Rob Ingram · ‎09-03-2019

Hi,

You'll need to import the certificate as a PKCS12 enrollment type.

Here is an example, see the certificate import section.

HTH

View solution in original post

Rob Ingram · ‎09-03-2019

Hi,

You'll need to import the certificate as a PKCS12 enrollment type.

Here is an example, see the certificate import section.

HTH

Marvin Rhoads · ‎09-04-2019

@Rob Ingram mentioned the pkcs12 method. That's best when using a public CA.

I've been drafting a process for the manual method. It's a work in progress but here's what I have so far:

Reference document.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html#anc6

Objects > PKI > Cert Enrollment

Add Cert Enrollment

choose a locally significant name for it (no spaces)

Enrollment Type : Manual

You will need to paste in the certificate of your issuing CA

Fill out the certificate parameters, be sure to include FQDN by using “Custom FQDN” option with the actual FQDN.

Save the object

Devices > Certificates

Choose the device and assign the new object to it. This creates a Trustpoint on the object (pending deployment). It should be annotated "Identity certificate import required"

click the "Import Identity Certificate" icon to the right the looks like a page with an arrow on the top right of it ("re-enroll certificate" is the tool tip). that will generate the CSR and open up a window with the CSR and a place to import the signed certificate.

send the CSR to your CA.

retrieve the signed certificate as base 64 encoded. import that certificate file in the "Step 2" section of "Import Identity Certificate"

Click Import

You should now see both the CA and ID (Identity) icons in the Status column. You can inspect both to verify they are as expected.

Devices > VPN > Remote Access

Either create a new or modify an existing VPN profile

If creating new you will be prompted to choose the certificate.

If modifying an existing, choose Access Interfaces tab and select the new SSL Global Identity Certificate from the dropdown menu

Save and Deploy

make sure your FQDN is published in your DNS and resolving (can use local hosts file for testing purposes)

browse to the FQDN via https (or enter the device FQDN directly in AnyConnect VPN tile user interface)

Chess Norris · ‎07-21-2020

Hello Marvin,

Thank you for this guide. It was exactly what I was looking for.

Quick question. For my Lab environment, I use a Microsoft CA server. When requesting a certificate, I can choose different certificates templates. Would the template "Web Server" work as an Identity cert or do I need to create a custom template for this?

Also, do you happen to have a similar guide for creating and using certificates for RA VPN authentication?

Thanks

/Chess

Marvin Rhoads · ‎07-21-2020

You're welcome. That process is actually for the certificate used by the remote access (RA) SSL VPN.

If you're using Microsoft's standard Windows Certificate Authority there's no need to create a custom template - the "Web Server" one works fine.

Chess Norris · ‎07-22-2020

Yes, you are right. This process worked great for user certificate authentication. I enabled both AAA and certificate authentication on the FTD and was able to connect to the VPN after downloading a user certificate from my lab MS CA server.

Now, the question is. How should I do this if I want to use a computer certificate and machine authentication instead of user certificates? I have not been able to find any good guides that's explain this process.

Cheers

/Chess

Rob Ingram · ‎07-22-2020

@Chess Norris

I am reasonably sure that a user cannot access the Windows computer/machine certicate store, unless the user is an administrator. A computer certificate would normally be used for the AnyConnect Management tunnel, which would be initiated automatically by the computer (when a user is not logged in).

HTH

Marvin Rhoads · ‎07-22-2020

Please see the following section of the AnyConnect Admin Guide for instructions on how to direct use of the machine certificate store:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/configure_vpn.html#ID-1428-0000055f