Thanks, Marcin,

I would still get more clarification. If I want the ASA to verify the remote machine certificate would it use the CRL configured in the identity trustpoint (DEMO-IDENTITY-TRUSTPOINT in my case) ?

What's CDP ?

No probs.

It's always the CA which decides "how to access" CRL via field in certificate - CDP. (CDP = CRL Distribution Point)

The field is usually appended to certificate when generated by CA.

For processing and clarity reasons you should (in 99% of cases) have CA cert and identity cert in same trustpoint.

M.

I would like to know about that case that falls on 1 percent.

All my real-time experience with deploying SSL certificates always dealt with having two different trustpoints. And as far as  I remember this is what I heard from Cisco TAC engineer when I ran into a similar problem the first time. Now I hear there must be only one trustpoint. Sigh....

Give me the SR number and I will have a look.

There is no good reason to separate indetity and CA certificates into different containers. We're using trustpoint container that can store evrtything in one place, which is logical and allows easier config.

Any additional config is used in certificate chaining, whcich you do not mention.

Marcin

Sorry, Marcin,

I was sick for the whole week. The SR number was 618938355. I talked to Jorge Salas over the phone when we troubleshot the issue and he said that I need to have two trust points.

Looking at the information provided by geotrust that you pointed out everything should be put in one trustpoint:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15228&actp=search&viewlocale=en_US&searchid=1315022941882

I'm not sure what Jorge was getting at when he suggested using different trustpoints. How many level of certificates do you have?

Marcin

I think it's just one level but I'd like to be able use wild card certificates. Anyways, let's get back to my original question. Can you please refer me to a more or less good guide on how to integrate Cisco ASA firewall running 8.4 code with Microsoft CA and published CDP.

The one published here says that I need to rely on SCEP while configuring the trustpoint:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml

Is  it just enough to leave it like  this and the ASA will automatically check every incoming  VPN connection against the enrollement URL to see if the certificate issued to the machine is still valid. Just to refresh, I need to have a so-called two factor authentication - machine based and user based.

There are no specifics for ASA and enrollment to MS CA (the process on ASA is same regardless of CA platform).

Also the process didn't change for a while, if my memory doesn't fail me we had same enrollment processes since PIX/ASA 7.0.

You can enroll in the two common ways either enrollment terminal or SCEP. SCEP is just simpler to manage.

Here's enrollment terminal example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

You need to CDP, not enrollment URL, when performing CRL checking.

CRL is very often a file that you need to download a process, signed by CA.

Marcin