Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3450
Views
5
Helpful
3
Replies

Windows 2008R2 - ASA SSL certificate problem

valerio galantini
Level 1
Level 1

‎10-09-2012 03:13 AM

Hello everyone,

I'm currently dealing with a problem related to the integration between the a cisco ASA 5510 and an AD Microsoft CA on a Windows2008R2.

I'm basically trying to enroll the ASA in the CA and get a certificate for the ASA to use for SSL VPNs.

I'm using SCEP enrollment and I've set up NDEP on the Win2008 CA.

Everything seems to be working just fine and I get the certificate but If I assign it to the interface, first the client receives a warning and then a blank page is shown (everything works just fine with the ASA self-signed certificate).

The problem looks like to be related to the purpose of the keys (key usage field) which is not Server authentication.

The certificate is automatically generated using the IPSec (offline) template.

Does anyone know how to get a working certificate?

Valerio Galantini

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎10-09-2012 05:37 AM

Hi Valerio,

Instead of doing it via SCEP, I would recommend to you to go to: http://yourserverip/certsrv, pick up the correct template (Web server) and enroll the ASA manually.

ASA 8.x Manually Install 3rd Party  Vendor Certificates for use with WebVPN Configuration Example

Thanks.

Portu.

Please rate any helpful posts.

valerio galantini
Level 1
Level 1
In response to Javier Portuguez

‎10-09-2012 07:48 AM

Hi Javier,

thanks for your answer. I've already tried to export the csr and use it to get a certificate off-line but when I submit the csr to the CA I get an error that says that no template information is contained in the request.

I guess I just have to post the problem to Micorosoft I think anyway that a guide by Cisco like the one for the Win2003 CA would be helpfull though..

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to valerio galantini

‎10-09-2012 07:58 AM

Valerio,

I agree with you.

We are working on updating our docs.

Thanks.

Portu.

Please rate any helpful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents