I'm working on deploying AnyConnect SSL VPN and am looking to secure the connection with a certificate that is NOT provided by the ASA's internal CA or a 3rd party. What I would like to do is have our domain CA (MS) sign off on the certificate - that way all laptop users who connect to VPN will accept the certificate without prompting.
Is there any kind of Cisco document that outlines this specific case? I've looked at Cisco configuration documents that show:
- manually install 3rd party vendor certs for SSL VPN (ie. Verisign)
- obtain digital certificates for ASA from an MS CA (this only issues IPSec certificates for users - the ASA throws an error about the EKU not specifying the server authentication role)
- renew/install the SSL certificate with ADSM (only applies to self-signed certs)
- reviewed the anyconnect administrator guide
I found two similar posts in the Community, but there is no definitive answer from anyone as to whether or not this is possible.
I would appreciate any feedback. I may have to end up copying the ASA self-signed certificate to all VPN user laptops :S
You treat the SSL VPN like a web server.. Create a 3rd party signing request, load it on your MS CA and select the webserver profile... You will need both the CA cert and the identification cert. You load the CA cert first then the identity cert.
You then attach the cert to an interface.
I did this on my internal interface so that the customization pages would stop giving me cert errors in my browser.. I went with a proper public 3rd party cert for the external interface since I expect none domain machines to connect, and telling users how to install certs is a pain.