Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2397
Views
0
Helpful
2
Replies

SSL VPN using MS CA

Go to solution
gregbeifuss
Level 1
Level 1

‎12-04-2009 10:57 AM

I'm working on deploying AnyConnect SSL VPN and am looking to secure the connection with a certificate that is NOT provided by the ASA's internal CA or a 3rd party. What I would like to do is have our domain CA (MS) sign off on the certificate - that way all laptop users who connect to VPN will accept the certificate without prompting.

Is there any kind of Cisco document that outlines this specific case? I've looked at Cisco configuration documents that show:
- manually install 3rd party vendor certs for SSL VPN (ie. Verisign)

- obtain digital certificates for ASA from an MS CA (this only issues IPSec certificates for users - the ASA throws an error about the EKU not specifying the server authentication role)

- renew/install the SSL certificate with ADSM (only applies to self-signed certs)

- reviewed the anyconnect administrator guide

I found two similar posts in the Community, but there is no definitive answer from anyone as to whether or not this is possible.

https://supportforums.cisco.com/message/259286#259286

https://supportforums.cisco.com/message/1324901#1324901

I would appreciate any feedback. I may have to end up copying the ASA self-signed certificate to all VPN user laptops :S

Greg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dbgreekas
Level 1
Level 1

‎12-04-2009 10:59 PM

You treat the SSL VPN like a web server.. Create a 3rd party signing request, load it on your MS CA and select the webserver profile... You will need both the CA cert and the identification cert. You load the CA cert first then the identity cert.

You then attach the cert to an interface.

I did this on my internal interface so that the customization pages would stop giving me cert errors in my browser.. I went with a proper public 3rd party cert for the external interface since I expect none domain machines to connect, and telling users how to install certs is a pain.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
dbgreekas
Level 1
Level 1

‎12-04-2009 10:59 PM

You treat the SSL VPN like a web server.. Create a 3rd party signing request, load it on your MS CA and select the webserver profile... You will need both the CA cert and the identification cert. You load the CA cert first then the identity cert.

You then attach the cert to an interface.

I did this on my internal interface so that the customization pages would stop giving me cert errors in my browser.. I went with a proper public 3rd party cert for the external interface since I expect none domain machines to connect, and telling users how to install certs is a pain.

0 Helpful

Go to solution
gregbeifuss
Level 1
Level 1
In response to dbgreekas

‎12-07-2009 05:27 AM

I ended up following "ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example" (Document ID: 100413) and the advice to choose the 'webserver' profile when selecting which certificate type I wanted. I also had to ensure that the 'advanced' tab (when generating the CSR on the ASA) was giving the proper external DNS answer and not the internal name.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents