Q. VPN remote access clients user and ASA certs are generated off of the intermediate CA server.?
Does the ASA need to have the Root CA cert installed on the ASA along with the Intermediate CA cert? Or will just the Intermediate CA cert suffice?
A. On the ASA you need only the Intermediate/Subordinate CA cert installed. O nhte lcient you need all 3 certs installed:Root CA, Subordinate CA, and Identity certificate.
Q. How does the ASA checks for CRLs with multiple CA certificates installed?
On the ASA we have CA cert1 and CA cert2, client are connecting using user1 certificate signed by CA cert1 and user2 using sertificate signed by CA cert2 how does the ASA know how to query the right CRL list ??
A. The CRL location, CRL DP, is actually pulled out of the client certificate. The client certificate would have a 'CRL Distribution Points' extension that would provide a URL to the CRL location.
If the client certificate doesn't include such an extension then you could also configure static URL's or a combination of both depending on which check boxes you enable for CRL Retrieval Policy. This way you can configure the particular static URL relevant to the given CA certificate that you are configuring.