Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

implementing global PKI service

 

Hi Everyone,

 

With clientless SSL VPN to support external clients do we need to use global pki service?

 

Regards

MAhesh

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

It's recommended but not

It's recommended but not required. As long as the clients trust the ASA certificate it will work.

With a global PKI that uses a well-known public CA (like Entrust, Verisign, Thawte, GoDaddy etc.) to issue certificates for your ASA, almost all clients will have those pre-defined as trusted root Certificate Authorities. In that case, they will not see any warning message when browsing to the ASA.

If you use a self-signed certificate or internal PKI, your clients will need to either a. install the ASA certificate or internal PKI root certificate in their trusted root certificate store or b. always accept the untrusted certificate every time.

Most people don't want to present their clients with either of the latter two choice thus the recommendation to use a public Certificate Authority. 

2 REPLIES
Hall of Fame Super Silver

It's recommended but not

It's recommended but not required. As long as the clients trust the ASA certificate it will work.

With a global PKI that uses a well-known public CA (like Entrust, Verisign, Thawte, GoDaddy etc.) to issue certificates for your ASA, almost all clients will have those pre-defined as trusted root Certificate Authorities. In that case, they will not see any warning message when browsing to the ASA.

If you use a self-signed certificate or internal PKI, your clients will need to either a. install the ASA certificate or internal PKI root certificate in their trusted root certificate store or b. always accept the untrusted certificate every time.

Most people don't want to present their clients with either of the latter two choice thus the recommendation to use a public Certificate Authority. 

Community Member

 Hi Marvin, Thanks for

 

Hi Marvin,

 

Thanks for answering the question.

Its always pleasure to read replies from you.

Best Regards

MAhesh

30
Views
0
Helpful
2
Replies
CreatePlease to create content