Site-to-Site VPN with Certificate

Unanswered Question
Jul 5th, 2010


Configured the site-to-site VPN with digital certificate and Microsoft CA.

Some things are not celar to me.

1. When a CSR is generated it is signed by the private key generated by ASA. This CSR is  sent to Microsoft CA to generate the Identity certificate.

2. When we are giving the this request to Microsoft CA it is encrypted by private key and we are not sharing the public key with Microsoft CA not clear about how CA will decide that the this request is true and coming from the legitimate user and is original?

3. If CA is not able to decrypt the CSR request  how it can give us the Identity certificate?

4.If CA assumes that CSR is true and original it generates the identity certificate on the CSR ( which is a scrambled data ).

5. We will install the Identity certificate and also the CA certificate which is CA public key on ASA.

When Certificates are exchanged what can be verified from the received certificate ?  Only thing we specify in the ASA is the peer IP address. There is nothing more than this in the ASA which it can check with the received certificate.  Or is there anything else that can be checked to see that the certificate which we have received is from the correct ASA with which we are peering with.

Please check the following URL on cisco's website which tells how to configure the vpn with certificate but at step 7 of the configuration of site-to-site VPN it tells that we are using pre-shared key insted of certificate.

searched on google lots but most of the documents give the procedure about how to create CSR, get  the certificate from CA and install it. But I am still not clear with the above mentioned points.

Please share the experience or any good URL is appreciated.

Thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Tue, 07/06/2010 - 08:11


1. OK

2. Password protection for example.

3. If cannot.

4. I would not call it "scarmbled".

5. Private key is never shared.

If you want to know example of data in certifcate, go to your internat banking site and press the little lock icon.

Here's an example (attached).

Wikipedia has VERY good documents regarding PKI, maybe not tooo much about theory but some.

let me know which further questions you might have.



This Discussion