Solved: implementing global PKI service

mahesh18 · ‎04-05-2014

Hi Everyone,

With clientless SSL VPN to support external clients do we need to use global pki service?

Regards

MAhesh

Marvin Rhoads · ‎04-05-2014

It's recommended but not required. As long as the clients trust the ASA certificate it will work.

With a global PKI that uses a well-known public CA (like Entrust, Verisign, Thawte, GoDaddy etc.) to issue certificates for your ASA, almost all clients will have those pre-defined as trusted root Certificate Authorities. In that case, they will not see any warning message when browsing to the ASA.

If you use a self-signed certificate or internal PKI, your clients will need to either a. install the ASA certificate or internal PKI root certificate in their trusted root certificate store or b. always accept the untrusted certificate every time.

Most people don't want to present their clients with either of the latter two choice thus the recommendation to use a public Certificate Authority.

View solution in original post

Marvin Rhoads · ‎04-05-2014

It's recommended but not required. As long as the clients trust the ASA certificate it will work.

With a global PKI that uses a well-known public CA (like Entrust, Verisign, Thawte, GoDaddy etc.) to issue certificates for your ASA, almost all clients will have those pre-defined as trusted root Certificate Authorities. In that case, they will not see any warning message when browsing to the ASA.

If you use a self-signed certificate or internal PKI, your clients will need to either a. install the ASA certificate or internal PKI root certificate in their trusted root certificate store or b. always accept the untrusted certificate every time.

Most people don't want to present their clients with either of the latter two choice thus the recommendation to use a public Certificate Authority.

mahesh18 · ‎04-05-2014

Hi Marvin,

Thanks for answering the question.

Its always pleasure to read replies from you.

Best Regards

MAhesh