SSL VPN using MS CA

Answered Question
Dec 4th, 2009

I'm working on deploying AnyConnect SSL VPN and am looking to secure the connection with a certificate that is NOT provided by the ASA's internal CA or a 3rd party. What I would like to do is have our domain CA (MS) sign off on the certificate - that way all laptop users who connect to VPN will accept the certificate without prompting.

Is there any kind of Cisco document that outlines this specific case? I've looked at Cisco configuration documents that show:
- manually install 3rd party vendor certs for SSL VPN (ie. Verisign)

- obtain digital certificates for ASA from an MS CA (this only issues IPSec certificates for users - the ASA throws an error about the EKU not specifying the server authentication role)

- renew/install the SSL certificate with ADSM (only applies to self-signed certs)

- reviewed the anyconnect administrator guide

I found two similar posts in the Community, but there is no definitive answer from anyone as to whether or not this is possible.

https://supportforums.cisco.com/message/259286#259286

https://supportforums.cisco.com/message/1324901#1324901

I would appreciate any feedback. I may have to end up copying the ASA self-signed certificate to all VPN user laptops :S

Greg

I have this problem too.
0 votes
Correct Answer by dbgreekas about 7 years 12 hours ago

You treat the SSL VPN like a web server.. Create a 3rd party signing request, load it on your MS CA and select the webserver profile... You will need both the CA cert and the identification cert. You load the CA cert first then the identity cert.

You then attach the cert to an interface.

I did this on my internal interface so that the customization pages would stop giving me cert errors in my browser.. I went with a proper public 3rd party cert for the external interface since I expect none domain machines to connect, and telling users how to install certs is a pain.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
dbgreekas Fri, 12/04/2009 - 22:59

You treat the SSL VPN like a web server.. Create a 3rd party signing request, load it on your MS CA and select the webserver profile... You will need both the CA cert and the identification cert. You load the CA cert first then the identity cert.

You then attach the cert to an interface.

I did this on my internal interface so that the customization pages would stop giving me cert errors in my browser.. I went with a proper public 3rd party cert for the external interface since I expect none domain machines to connect, and telling users how to install certs is a pain.

gregbeifuss Mon, 12/07/2009 - 05:27

I ended up following "ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example" (Document ID: 100413) and the advice to choose the 'webserver' profile when selecting which certificate type I wanted. I also had to ensure that the 'advanced' tab (when generating the CSR on the ASA) was giving the proper external DNS answer and not the internal name.

Actions

This Discussion