Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
1
Replies

Site-to-Site VPN with Certificate

bapatsubodh
Level 1
Level 1

‎07-05-2010 07:53 AM

Hi,

Configured the site-to-site VPN with digital certificate and Microsoft CA.

Some things are not celar to me.

1. When a CSR is generated it is signed by the private key generated by ASA. This CSR is  sent to Microsoft CA to generate the Identity certificate.

2. When we are giving the this request to Microsoft CA it is encrypted by private key and we are not sharing the public key with Microsoft CA not clear about how CA will decide that the this request is true and coming from the legitimate user and is original?

3. If CA is not able to decrypt the CSR request  how it can give us the Identity certificate?

4.If CA assumes that CSR is true and original it generates the identity certificate on the CSR ( which is a scrambled data ).

5. We will install the Identity certificate and also the CA certificate which is CA public key on ASA.

When Certificates are exchanged what can be verified from the received certificate ?  Only thing we specify in the ASA is the peer IP address. There is nothing more than this in the ASA which it can check with the received certificate.  Or is there anything else that can be checked to see that the certificate which we have received is from the correct ASA with which we are peering with.

Please check the following URL on cisco's website which tells how to configure the vpn with certificate but at step 7 of the configuration of site-to-site VPN it tells that we are using pre-shared key insted of certificate.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

searched on google lots but most of the documents give the procedure about how to create CSR, get  the certificate from CA and install it. But I am still not clear with the above mentioned points.

Please share the experience or any good URL is appreciated.

Thanks in advance

Subodh

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-06-2010 08:11 AM

Subodh,

1. OK

2. Password protection for example.

3. If cannot.

4. I would not call it "scarmbled".

5. Private key is never shared.

If you want to know example of data in certifcate, go to your internat banking site and press the little lock icon.

Here's an example (attached).

Wikipedia has VERY good documents regarding PKI, maybe not tooo much about theory but some.

let me know which further questions you might have.

Marcin

Preview file
80 KB
0 Helpful
Customers Also Viewed These Support Documents