Certificate question for Clientless SSL on ASA 5520

whiteford · ‎11-04-2008

Hi,

I'm using Clientless SSL VPN, but am not sure if I am using certificates etc, how can I check?

Do I need to buy any or can the ASA create them.

Thanks

sadbulali · ‎11-10-2008

SSL uses digital certificates for authentication. The security appliance creates a self-signed SSL server certificate when it boots; or you can install in the security appliance an SSL certificate that has been issued in a PKI context. For HTTPS, this certificate must then be installed on the client. You need to install the certificate from a given security appliance only once.Once the "crypto ca server" command executes, the Local CA is generated on the ASA. A self-signed certificate is created and associated with that Local CA on the security appliance when you execute the no shutdown command. The self-signed certificate key usage extension has key encryption, key signature, CRL signing, and certificate signing ability.

Digital certificates in SSL vpn:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1238768

configuring the Local CA nad creating Self-Signed Certificate:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067517

whiteford · ‎11-10-2008

Thanks for spending the time to answer my question.

When I use my ie7 browser to connect to https://asaip it ask if I want to connect to this untrusted site, does this mean that a certificate is in use here, as I have get to configure anything. I have simply used the asdm to set this.

I understand I could buy a certificate from verisign but am happy using the built in self certificate.

Thanks