Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate Revocation List configuration on ASA

Hello folks,

I wish someone shed me some light on how I can configure CRL on ASA for machine-based certification authentication for SSL VPN. The client has Microsoft CA and their policy is to allow into VPN only trusted machines with enrolled certificates. I understand that I need to configure two trustpoints on the ASA, one for Root CA to make the ASA trust it and the other one for an identity certificate.

My question is where will I configure CRL ? Will it be under the trust point for Root CA or under the trust point for identity?

E.g. these are portions of my configs from the lab ASA:

crypto ca trustpoint ROOTCA-TRUSTPOINT

enrollment terminal

crl configure

crypto ca trustpoint DEMO-IDENTITY-TRUSTPOINT

enrollment terminal

fqdn demo.koiossystems.com

subject-name CN=demo.koiossystems.com

keypair SSLVPN-CERT-KEYS

crl configure

9 REPLIES
Cisco Employee

Certificate Revocation List configuration on ASA

Please never enroll and authenticate in two different trustpoints (for same CA).

You should authenticate and enroll a particular instance into one trustpoint. (note that if you have idenityt multiple certs from same CA, both should be authenticated).

CDP is provided by the CA in the  identity cert, the URL should be there when CA provides you with a signed cert. To verify you can check "show cry ca cert".

THe ASA does have an option to perform CRL check or not (and a few others in this regard).

New Member

Certificate Revocation List configuration on ASA

Thanks, Marcin,

I would still get more clarification. If I want the ASA to verify the remote machine certificate would it use the CRL configured in the identity trustpoint (DEMO-IDENTITY-TRUSTPOINT in my case) ?

What's CDP ?

Cisco Employee

Certificate Revocation List configuration on ASA

No probs.

It's always the CA which decides "how to access" CRL via field in certificate - CDP. (CDP = CRL Distribution Point)

The field is usually appended to certificate when generated by CA.

For processing and clarity reasons you should (in 99% of cases) have CA cert and identity cert in same trustpoint.

M.

New Member

Certificate Revocation List configuration on ASA

I would like to know about that case that falls on 1 percent.

All my real-time experience with deploying SSL certificates always dealt with having two different trustpoints. And as far as  I remember this is what I heard from Cisco TAC engineer when I ran into a similar problem the first time. Now I hear there must be only one trustpoint. Sigh....

Cisco Employee

Certificate Revocation List configuration on ASA

Give me the SR number and I will have a look.

There is no good reason to separate indetity and CA certificates into different containers. We're using trustpoint container that can store evrtything in one place, which is logical and allows easier config.

Any additional config is used in certificate chaining, whcich you do not mention.

Marcin

New Member

Certificate Revocation List configuration on ASA

Sorry, Marcin,

I was sick for the whole week. The SR number was 618938355. I talked to Jorge Salas over the phone when we troubleshot the issue and he said that I need to have two trust points.

Cisco Employee

Certificate Revocation List configuration on ASA

Looking at the information provided by geotrust that you pointed out everything should be put in one trustpoint:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15228&actp=search&viewlocale=en_US&searchid=1315022941882

I'm not sure what Jorge was getting at when he suggested using different trustpoints. How many level of certificates do you have?

Marcin

New Member

Certificate Revocation List configuration on ASA

I think it's just one level but I'd like to be able use wild card certificates. Anyways, let's get back to my original question. Can you please refer me to a more or less good guide on how to integrate Cisco ASA firewall running 8.4 code with Microsoft CA and published CDP.

The one published here says that I need to rely on SCEP while configuring the trustpoint:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml

Is  it just enough to leave it like  this and the ASA will automatically check every incoming  VPN connection against the enrollement URL to see if the certificate issued to the machine is still valid. Just to refresh, I need to have a so-called two factor authentication - machine based and user based.

Cisco Employee

Certificate Revocation List configuration on ASA

There are no specifics for ASA and enrollment to MS CA (the process on ASA is same regardless of CA platform).

Also the process didn't change for a while, if my memory doesn't fail me we had same enrollment processes since PIX/ASA 7.0.

You can enroll in the two common ways either enrollment terminal or SCEP. SCEP is just simpler to manage.

Here's enrollment terminal example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

You need to CDP, not enrollment URL, when performing CRL checking.

CRL is very often a file that you need to download a process, signed by CA.

Marcin

4714
Views
0
Helpful
9
Replies
CreatePlease login to create content