Certifcates and VPNs

Unanswered Question
Aug 26th, 2010

I am testing a VPN using Certifactes.

I have trial certs from Thawte.

When I registered for the certificates I didn't link the two in any way.

I have installed the certs on the two ASA's with the root CA also and the VPN is working fine.

My question is what stops someone else getting a trial cert from thawte that will be trusted by my two ASA.

And how will this be different when I move to "paid" certificates?

If the cert is issued by my trusted root CA will the firewalls blindly except it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Atri Basu Thu, 08/26/2010 - 07:09

Hey Martin,

To answer your question nothing stops someone from getting a cert that is trusted by your ASA, however if your concern is if someone else will be able to build a tunnel to your ASA then as long you don't have that ASA's IP address configured as a peer then they will not be able to set up a tunnel with the ASA.

Regarding the trial certificate, many of the commercial certificate authorities will provide free certificates, at least for e-mail encryption use. However, most of these 'free' certificates are short trial certificates, good for 30 to 60 days at most. However, there are a few certificate authorities which do issue more than basic trial certificates. One of these is Thawte. In addition to their various paid certificates, Thawte offers free personal certificates which can be used for encrypting e-mail and digitally signing messages. The base certificate simply incorporates your e-mail address. By participating in their web of trust, you can include additional information, such as your name. To do this, you must accumulate 50 trust points from Thawte notaries. If you don't happen to live near any Thawte notaries, there is a trusted third party (TTP) program, but it is associated with a $25 processing fee.

I hope that answers your questions.



martinbuffleo Thu, 08/26/2010 - 07:58

I'm using certificates to protect a dynamic hub and spoke enviroment.

So my Hub will be configured to accept tunnels from any IP address.

so someone with a rogue, yet trusted cert that they purchased from Thawte. Could install on to an ASA and configure it to connect to my ASA.

That seems less secure than PSK.

Unless I use an internal Certificate authority.

Atri Basu Thu, 08/26/2010 - 08:00

Hey Martin,

Let me confirm this, however as I see it now, yes for dynamic hub topologies, internal CA servers are definitely a more secure option.




This Discussion