Importing self signed cert with vpn client

Unanswered Question
Sep 16th, 2010
User Badges:

I cannot find how to import to a cisco vpn client, a self signed certificate created on a ASA 5510 that runs software version 7.2(2) and  ASDM version 5.2(2). I believe I have everything configured properly and setup on the router via the ASDM but I cannot configure the client, I cannot get the ASDM to export certificate information in a usable formate to import to the client. Can someone outline this process for me or let me know if it is even possible to import a self signed cert, thank you.

Jesse Sole

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Atri Basu Wed, 09/29/2010 - 10:36
User Badges:
  • Cisco Employee,

I assume you are trying to configure remote access ipsec vpn with certificate authentication. If this is the case then you will find information on how to configure the VPN client at the following link:

You can ignore steps a -d as they are relevant only for an MS CA server. Instead in your case it appears as though you want to configure the local CA server on the ASA, and use that to generate certificates for the users. If this is the case then please follow the following steps:

In ASDM, go to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority. Click on CA Server. Check to enable the CA server. Fill out the form.
1)     Check "create certificate authority server"
2)     Type in a strong passphrase to protect your new root certificate
3)     Leave the rest of the top part of the form at the defaults
4)     Under "SMTP Server" enter the IP address of your corporate smtp mail server. This will be used to send enrollment emails to new users. It provides them with instructions on how to obtain their new identity certificate. Email is the preferred method for obtaining user certficates. However it can be done manually as I'll describe later.
5)     Add a "from address" and an email subject line
6)     Click Apply

Configure a trusted identity certificate on your ASA. It is important that you use an identity certificate from a trusted CA source for your ASA. An ASA identity certificate is the certificate that the ASA will hand out to the sslvpn clients that connect to it. In order for everything to work correctly the certificate must match the ASA hostname/IP address. Also, the end-users client must trust the CA that generated the ASA's identity certificate. A self-signed or other non-trusted CA cert is fine for testing but not for production. In fact, I recommend that you don't even bother testing without a full "real" ASA identity certificate at all. Too much could go wrong when you switch certificates later. Within ASDM you can sign up for a special promo certificate from Entrust if you'd like but any trusted public CA will do the trick.
To configure the identity certificate on your ASA do the following:
1)     First obtain your identity certificate. Make sure it is in PKCS12 format. Also, be sure it includes the complete certificate chain.
2)     Go to Configuration > Remote Access VPN > Certificate Management > Identity Certificates. Click Add.
3)     If your ASA will be in DNS then you can use the FQDN as the identifier in the certificate. If it will not be in DNS (only during testing, for production it must be in DNS) then be sure to use the IP address as the identifier.

Next you add users to the CA server. For each user created, the CA server will create a unique identity certificate for that user. The user will then need to install that certificate on their computer. Go to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Database.
1)     click Add
2)     Fill in the form. Be sure to include a subject name. If you will be using username pre-fill then be sure to include the username in the subject, i.e CN=.

3)     Next click "Email OTP". The ASA will then send an enrollment email to that user. They can then click on the link in the email to install the certificate on their PC.
4)     Optional: If you wish to manually enroll and obtain your certificate without email then go to https:///+CSCOCA+/enroll.html. Then follow the instructions. You will still need to have your One Time password (OTP) handy though. You can view the OTP in ASDM by selecting the user cert and clicking "view OTP".

Atri Basu Wed, 09/29/2010 - 10:39
User Badges:
  • Cisco Employee,

Please bear in mind you need to be running 8.x code version.

gillware1 Fri, 10/01/2010 - 05:23
User Badges:

Unfortunately I am running ASA version 7.2 and device type ASA5505, is there a way to configure the local CA server on this version to generate certificates with these types?

Atri Basu Fri, 10/01/2010 - 05:45
User Badges:
  • Cisco Employee,

Nope the Local CA server was introduce only in 8.x code. Anything below that will mean that you need to use another device like an IOS router or a Microsoft device to set up your CA server.

Atri Basu Tue, 10/05/2010 - 04:53
User Badges:
  • Cisco Employee,

If you have any further questions then please let me know. If not then please mark this question as answered as it will allow others who have similar issues to locate this answer more easily.


This Discussion