Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1880
Views
15
Helpful
7
Replies

Where is web page located in ASA when we set up Anyconnect VPN ?

Go to solution
eigrpy
Level 4
Level 4

‎07-25-2015 07:00 AM - edited ‎02-21-2020 08:21 PM

Hi I would like to confirm the certificate can work well.  So, I need to copy a web page from one asa to another for Anyconnect VPN. and then test if the certificate can work well. Now I need to know where web page is in the ASA or how the ASA associate with the web page. Anyone can give me some suggestion ? Thank you. 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-25-2015 10:54 AM

Do you mean the splash page that shows up when you access an ASA to establish a VPN connection? That's a default simple page whose elements are stored in a couple hidden directories on all ASAs - /+CSCOE+ and /+CSCOU+ for unencrypted and encrypted page elements respectively. They are explained in detail in this document.

They can be customized via remote access VPN customization in ASDM but the default pages are not "copyable". The customization objects are stored in flash if you have done customization.

Generally speaking you cannot simply copy a certificate from one ASA to another without also having the same private key that was used to generate the certificate (if self-signed) or the CSR (if signed by an external CA).

View solution in original post

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to eigrpy

‎07-27-2015 08:26 PM

Certificate comprises of three entities.
1. Certificate body.
2. Private key.
3. Public key.

When you create a certificate on your ASA/router, pair of keys (private and public) are generated and private keys are not shared with anyone and public keys are shared with everyone.

These keys work in such a way that one key encrypts the data and other decrypts and vice versa.
Normally, when you say , you have got the certificate, it encorporates the public key as well.

In this case, it states "you can export and install it on another ASA" ,
since you created the certificate on previous ASA, the private keys are present there and by default they are not shared. If you need to allow another ASA to encrypt the traffic, it has to be done via private key and thus they state you need to have both the certificate and the private key.

Hope this helps.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-25-2015 10:54 AM

Do you mean the splash page that shows up when you access an ASA to establish a VPN connection? That's a default simple page whose elements are stored in a couple hidden directories on all ASAs - /+CSCOE+ and /+CSCOU+ for unencrypted and encrypted page elements respectively. They are explained in detail in this document.

They can be customized via remote access VPN customization in ASDM but the default pages are not "copyable". The customization objects are stored in flash if you have done customization.

Generally speaking you cannot simply copy a certificate from one ASA to another without also having the same private key that was used to generate the certificate (if self-signed) or the CSR (if signed by an external CA).

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Marvin Rhoads

‎07-25-2015 11:39 AM

Thank you so much for your reply, Marvin. If the case is ASA to user' PC, instead of ASA to ASA, do you think I can copy the certificate from the ASA to user PC in order for the PC' user to log onto the ASA through https ? i guess the answer is no too ? 

"Do you mean the splash page that shows up when you access an ASA to establish a VPN connection?  ..." Yes

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to eigrpy

‎07-25-2015 09:31 PM

Certificate does not equal web page. A certificate provides information about the identity of a web page.

Whether it is self-signed or issued by a third party Certificate Authority (CA), you can export and install it on another ASA if you have both the certificate and the private key of the original ASA. Here is a document that explains how that is done.

The private key is usually the harder part. Unless you specify the key as exportable at creation time, by default it will not be so. 

Go to solution
eigrpy
Level 4
Level 4
In response to Marvin Rhoads

‎07-27-2015 07:14 PM

Very good explanation! What is relation between private key and certificate in following ? 

" Whether it is self-signed or issued by a third party Certificate Authority (CA), you can export and install it on another ASA if you have both the certificate and the private key of the original ASA "

 

The private key that you mentioned is identity certificate, right ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to eigrpy

‎07-27-2015 08:22 PM

The private key is one part of the identity certificate. A certificate itself is signed by the private key of the issuing CA (or, in the case of self-signed, the device). In the case of a CA signing the certificate, the original device private key is linked via the issuance process which includes a certificate and private key that is installed on the server (the ASA here).

When secure communications are established, a server (ASA in the case we are discussing) presents the certificate (which includes the the server's public key) as an assertion of identity. Only that server's private key (which is never shared with the client) can decrypt the return traffic in the secure session that's established. This is "key" (pun intended) to the concept of an asymmetric key algorithm. See the Wikipedia article on public-key cryptography for a very complete explanation of that concept.

The bottom line is that you need both the certificate and the private key for the server identity to be portable and/or ported to another replacement device.

If you're advancing your career in security, you would do well to study and learn PKI concepts. They are key to almost all modern systems that use cryptography (certificates, SSL/TLS, http2, etc.). And yes - it will be on the test.

Go to solution
eigrpy
Level 4
Level 4
In response to Marvin Rhoads

‎07-29-2015 11:04 AM

Thank you so much for your excellent explanation and that link!

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to eigrpy

‎07-27-2015 08:26 PM

Certificate comprises of three entities.
1. Certificate body.
2. Private key.
3. Public key.

When you create a certificate on your ASA/router, pair of keys (private and public) are generated and private keys are not shared with anyone and public keys are shared with everyone.

These keys work in such a way that one key encrypts the data and other decrypts and vice versa.
Normally, when you say , you have got the certificate, it encorporates the public key as well.

In this case, it states "you can export and install it on another ASA" ,
since you created the certificate on previous ASA, the private keys are present there and by default they are not shared. If you need to allow another ASA to encrypt the traffic, it has to be done via private key and thus they state you need to have both the certificate and the private key.

Hope this helps.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents