I wish someone shed me some light on how I can configure CRL on ASA for machine-based certification authentication for SSL VPN. The client has Microsoft CA and their policy is to allow into VPN only trusted machines with enrolled certificates. I understand that I need to configure two trustpoints on the ASA, one for Root CA to make the ASA trust it and the other one for an identity certificate.
My question is where will I configure CRL ? Will it be under the trust point for Root CA or under the trust point for identity?
E.g. these are portions of my configs from the lab ASA:
crypto ca trustpoint ROOTCA-TRUSTPOINT
crypto ca trustpoint DEMO-IDENTITY-TRUSTPOINT
Please never enroll and authenticate in two different trustpoints (for same CA).
You should authenticate and enroll a particular instance into one trustpoint. (note that if you have idenityt multiple certs from same CA, both should be authenticated).
CDP is provided by the CA in the identity cert, the URL should be there when CA provides you with a signed cert. To verify you can check "show cry ca cert".
THe ASA does have an option to perform CRL check or not (and a few others in this regard).
I would still get more clarification. If I want the ASA to verify the remote machine certificate would it use the CRL configured in the identity trustpoint (DEMO-IDENTITY-TRUSTPOINT in my case) ?
What's CDP ?
It's always the CA which decides "how to access" CRL via field in certificate - CDP. (CDP = CRL Distribution Point)
The field is usually appended to certificate when generated by CA.
For processing and clarity reasons you should (in 99% of cases) have CA cert and identity cert in same trustpoint.
I would like to know about that case that falls on 1 percent.
All my real-time experience with deploying SSL certificates always dealt with having two different trustpoints. And as far as I remember this is what I heard from Cisco TAC engineer when I ran into a similar problem the first time. Now I hear there must be only one trustpoint. Sigh....
Give me the SR number and I will have a look.
There is no good reason to separate indetity and CA certificates into different containers. We're using trustpoint container that can store evrtything in one place, which is logical and allows easier config.
Any additional config is used in certificate chaining, whcich you do not mention.
I was sick for the whole week. The SR number was 618938355. I talked to Jorge Salas over the phone when we troubleshot the issue and he said that I need to have two trust points.
Looking at the information provided by geotrust that you pointed out everything should be put in one trustpoint:
I'm not sure what Jorge was getting at when he suggested using different trustpoints. How many level of certificates do you have?
I think it's just one level but I'd like to be able use wild card certificates. Anyways, let's get back to my original question. Can you please refer me to a more or less good guide on how to integrate Cisco ASA firewall running 8.4 code with Microsoft CA and published CDP.
The one published here says that I need to rely on SCEP while configuring the trustpoint:
Is it just enough to leave it like this and the ASA will automatically check every incoming VPN connection against the enrollement URL to see if the certificate issued to the machine is still valid. Just to refresh, I need to have a so-called two factor authentication - machine based and user based.
There are no specifics for ASA and enrollment to MS CA (the process on ASA is same regardless of CA platform).
Also the process didn't change for a while, if my memory doesn't fail me we had same enrollment processes since PIX/ASA 7.0.
You can enroll in the two common ways either enrollment terminal or SCEP. SCEP is just simpler to manage.
Here's enrollment terminal example:
You need to CDP, not enrollment URL, when performing CRL checking.
CRL is very often a file that you need to download a process, signed by CA.