ASA - Public Certificate for SSL VPN

Unanswered Question
Aug 14th, 2007
User Badges:

Hey Netpros:


I'm having some difficulty finding good info on this topic.


Specifically, I've got an ASA that is used solely for SSL VPN access by users. I would like to register a public cert so the users aren't prompted with certificate errors when they connect, like they get with self signed cert.


Is there a comprehensive document on this topic along with which public CA providers can be used (godaddy, verisign, thawte, etc)?


Thanks!

Vance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
irisrios Tue, 08/21/2007 - 06:05
User Badges:
  • Silver, 250 points or more

Type the IP address of the private interface from the web browser in order to enable the GUI interface.


The factory default username and password are admin which is case sensitive.


Once you are logged in as an Administrator, begin to install the SSL VPN Client software to the VPN Concentrator.


This step is required only when you upgrade a VPN Concentrator from an older release to 4.7. Choose Configuration > Tunneling and Security > WebVPN > Cisco SSL VPN Client in order to install the SSL VPN Client.

The interface that terminates the SSL VPN Client needs to have an SSL certificate associated with it.


Choose Administration > Certificate Management in order to confirm that SSL certificates are generated for the interfaces.


If the certificates are not generated you can generate them when you choose Generate. This is an option available under Actions in the SSL Certificates box for the respective interface

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008055641a.shtml



mstreet Wed, 08/22/2007 - 03:14
User Badges:

Hi Vance,

I just went through this on our ASA. I had the some problem finding documentation, basically I couldn't find anything other than the config guide.

We are using ASA v8 by the way. Actually. it turned out to be very simple.


First you need to get the certificate itself. The ASA config guide has a list of supported CA servers but I believe that is for use when the ASA is authenticating the certificate. In this case the client VPNing in from the internet will be authenticating the certificate so you just need to get one from the standard providers supported by default by IE and the other browsers. We used verisign. The provider will be supported providing their certificate is included in your clients browser. The providers certificate has to be there so the internet client can trust the organisation who is vouching for your firewall.


You need to get a certificate for the domain your users use to connect to your asa with. So if you have a registered domain mydomain.com which maps to your ASA's public ip address then you need a certificate for mydomain.com. Once you have the certificate the rest is easy. Using ASDM you import the root certificate from your CA provider (config-device-certificate management-ca certificates-add), you will be able to download this from them. This allows the firewall to be able to verify their identity. Then you just import the 'mydomain.com' certificate which is under the identity certificates option. Of course you must apply the certificate to the interface your vpn is terminating on.

That's it. It works straight away and no more ugly messages.


Hope that helps


cheers


Mike Street





Vance Krier Wed, 08/22/2007 - 10:32
User Badges:

Hi Mike,


Thanks for the info. You are exactly correct. I ended up opening a TAC case and they provided a nice step by step guide that I'll attach. I'm also running v8, so the guide isn't exactly right, but its close enough. Like you said, it's not hard to get working, just not entirely intuitive.


I ended up just picking up a cert from godaddy.com ($17/year) and I got it installed and working early this morning. Worked perfectly.


Thanks for the response, I'm sure I could have got it going based on the info you provided.


Vance

Actions

This Discussion