Please I need some clarification and help with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used.
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA.
The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall.
Any examples or best practise steps to achieve this will be really appreciated.
Let me explain you briefly how PKI Auth is working:
In a PKI setup, devices do not trusts each other directly, but they trust a Certificate Authority, which is the one that issues certificate. We call this Root CA (there might be more complex setup where intermediate CA are involved, but that's another story). So when the Root CA issues a certificate, it signs it with its private key. To be able to verify this signature, one should have the CA Public key, which is included with the CA Certificate.
So for Certificate authentication, you have to create a trustpoint, which will define the parameters of the Root CA.
Then you will authenticate this trustpoint, which means basically you'll get the Root CA Certificate and store it locally.
After that, you enroll to that CA, which means you'll request (and get) your own certificate.
Other users will do the same, and will have the same Root CA Cert, but differente personnal (identity) certificates.
So what happen upon authentication is that both ends sends their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the received certificate from remote peer. If the signature is correct, that means the Root CA actually issued this certificate, and that remote peer can be trusted (or not )
Hope this is clear.