Saturday, June 14, 2014

Adding a CA Root Certificate on the ASA

By default, the ASA device creates a self-signed certificate for SSL authentication. This is fine for a test or lab environment. However, when you allow access to remote users outside your organization, you will usually purchase a valid certificate from a recognized certificate authority (CA) and prevent them from receiving any browser warnings about your certificate being invalid.

The ASA has no default CA root certificate installed. So, before you add an identity certificate for the ASA, you first need to add the certificate of the issuing CA from which you purchased your certificate. These are  downloaded from the CA's website. A few locations to download common CA certificates are listed here:

* https://www.entrust.net/downloads/root_index.cfm

* https://support.globalsign.com/customer/portal/articles/1219303-serversign-root-certificates---downloads

* https://www.symantec.com/page.jsp?id=roots


Otherwise, you could use an in-house deployed CA. I've used my Cisco 871w router to act as my CA server for my PKI, which I posted on my other <blog>.

Now that you have your CA's root certificate, in the ASDM navigate to Configuration > Device Management > Certificate Management > CA Certificates and click the Add button on the right side.

Within the Install Certificate window, you have the option to enter a trustpoint name for the CA certificate you are importing. A trustpoint is used by the ASA as a container for CA and certificate information. It is generally advisable to enter the name of the root CA, which will make life a bit easier for you when you come to install new certificates or troubleshoot existing ones. You have three options for how to install the certificate, depending on how you retrieved the root certificate (downloaded it from the CA's site in a zip file, copied a base64 output to your Clipboard, or use Simple Certificate Enrollment Protocol [SCEP] to retrieve the file).
















To use the configured identity certificate for the inbound clientless SSL VPN connections, we go to Configuration > Clientless SSL VPN Access > Connection Profiles > Device Certificate and choose the identity certificate from the drop-down menu.



No comments:

Post a Comment