Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.


Unanswered Question
Oct 29th, 2010
User Badges:

We have an ASA that configured as SSL portal. It has VeriSign as CA. I am wondering how the keys work.

My understanding is that, ASA sends its certificates with its public key to VeriSign. VeriSign then sends it to the user and encrypted with its private key. When the user gets it, it uses VeriSign’s public key to decrypt it and gets ASA’s public key.

The opposite happens and ASA gets user’s public key.

From then on, user and SSL start to communicate.

Is my understanding right?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sat, 10/30/2010 - 20:38
User Badges:
  • Green, 3000 points or more


When you use digital certificates the ASA requires a key pair first.

The default pair of keys (or a new set) are required to send the public key in the certificate request to the CA.

This RSA keys can be used to authenticate the VPN connection (Site-to-Site IPsec or client-based IPsec or SSL) connections as well as to accept SSH connections.

Every device participating in PKI will send and make its public key available and will keep its private key privately.

If another device/user wants to send data to this one, it will use the public key to encrypt the data and only the corresponding receiver can decrypt the data with the private key (corresponding to the public key used to encrypt the data).

Just as a note, the ASA supports a Local CA functionality as well.

So, you can use an external CA server or the ASA itself can server as a basic CA server.

The ASA supports SCEP or manual certificate enrollments/requests.

In your case using SSL VPN client connections to the ASA and using Verisign as the CA entity your understanding is correct.


hanwucisco Mon, 11/01/2010 - 13:22
User Badges:

There are a couple of type of certificates under Remote Access VPN. One is CA certificate, the other is Identity Certificates. In the scenario I described, is the VeriSign’s public key stored under Identity or CA certificates? How about my ASA, where are its pair stored?



Federico Coto F... Mon, 11/01/2010 - 17:47
User Badges:
  • Green, 3000 points or more

To check the public keys associated with your device you can use the command:

sh cry key mypubkey rsa

You can check them on ASDM as well but I don't have the GUI right now.



This Discussion