user authentication with certificates for remote site vpn

Unanswered Question
Jun 25th, 2008
User Badges:

Hi all

We are planning to authenticate the remote site VPN users using certificates, presently they are authenticating with ADS server. we are planning to use our own certificate server. can any body tell me how to configure this certificate authentication for remote site vpn.

Any documentation really help me.

thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading. Wed, 06/25/2008 - 05:11
User Badges:
  • Silver, 250 points or more


If you use ASA:

Look at ASA/PIX 7.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example


ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example


If you use IOS router

Configuring IPSec Between Cisco IOS Routers and Cisco VPN Client Using Entrust Certificates


I hope this helps.

Best regards.


psureshrao Wed, 06/25/2008 - 06:10
User Badges:

Thanks for the reply.

i will check and reply back.

Is there any datasheet or rfc document, that how exactly certification works as authentication.

How asa gets certificate from CA server (Which ports it will use, and how exactly it works).

psureshrao Wed, 06/25/2008 - 06:25
User Badges:

here we are not pointing to any particular CA server, how does asa know the CA server and download the certificate.

srue Wed, 06/25/2008 - 19:41
User Badges:
  • Blue, 1500 points or more

refer to the documentation for "crypto ca trustpoint", "crypto ca authenticate" and "crypto ca enroll" commands.

psureshrao Thu, 06/26/2008 - 01:13
User Badges:

First of all thanks for the reply.

Here I want to use a seperate server,

After intiating the command

crypto ca enroll CA , how does it point to Third party server(How it finds out the certificate server)?

How does it receive the certificate and where asa will save it.

If you need any updates from me, i will provide my inputs.

rcullum Wed, 01/27/2010 - 06:48
User Badges:

You need to import the CA certificate into your ASA that signed your client certificate. Then tick the option Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles 'Require client certificate'. Then in your connection profile choose auth method as AAA as you are not doing cert auth. When you connect to ASA with your IE browser, you should be prompted to choose a client certificate to use for your connection to the ASA. I don't think this works for Firefox as it won't have access to your Windows certificate store. The ASA should look through all its CA trustpoints to find one that matches the CA that signed your client cert, thereby validating your identity. I have only tried this with a Windows user certificate, not a machine certificate.


This Discussion