Has anyone put a 3rd party (e.g. Verisign) SSL cert on an ASA for WebVPN? I am having trouble finding documentation describing how i generate the certificate request and specify the info like compnay name, city etc... for the request. Please could someone point me in the correct direction?
I think the following link will help you in sending a SSL certificate request.
You problaby already did this, but I'll post it in case anyone else need this info.
RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:
crypto key generate rsa
Then define the trustpoint:
crypto ca trustpoint Verisign
Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):
crypto ca authenticate Verisign
---BEGIN--- or ---END--- lines do not matter>
INFO: Certificate has the following attributes:
Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Generate the CSR:
crypto ca enroll Verisign
% Start certificate enrollment ..
% The subject name in the certificate will be: xxxx
% The fully-qualified domain name in the certificate will be: hostname.domain.com
% Include the device serial number in the subject name? [yes/no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.
After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:
crypto ca import Verisign certificate
% The fully-qualified domain name in the certificate will be: xxx.domain.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
INFO: Certificate successfully imported
Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:
ssl trust-point thawte.com [interface]
I can see you said "Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)): ". What does this mean?
For example I want to apply for a certificate from Verisign, so which CA cert should I import? Where can I get that?
I tried to export a Root class3 from IE, and download one from verisign website, they all do not work.
Hi Ed, I'm installing now also WebVPN with a certificate from Thawte. Can you please send me a config example how you did that?
Thanks and regars
I think the point is the CA certificate. You'd better to ask Thawte about which one is used for your certificate Thawte gave you.
Other steps are easy:
generate key pair -> add a trustpoint -> configure your trustpoint including editing your informatioin -> enroll your trustpoint -> then email your certificate request to Thawte to get your certificate -> get your certificate and then import it into ASA -> [authenticate your trustpoint using CA certificate as I told you above], actually this step can be done before the enrollment, I think -> Finanlly you will see your trustpoint has two "subject", also your ASA will have two certificate in "certificate mgmt", one is for your ASA, the other is for your CA(Thawte).
Oh, do not forget to configure ASA outside interface to use this trustpoint under "ssl".
Wish this can help you.