Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
0
Helpful
3
Replies

Keys

hanwucisco
Level 1
Level 1

‎10-29-2010 07:58 AM

We have an ASA that configured as SSL portal. It has VeriSign as CA. I am wondering how the keys work.

My understanding is that, ASA sends its certificates with its public key to VeriSign. VeriSign then sends it to the user and encrypted with its private key. When the user gets it, it uses VeriSign’s public key to decrypt it and gets ASA’s public key.

The opposite happens and ASA gets user’s public key.

From then on, user and SSL start to communicate.

Is my understanding right?

thanks,

Han

Labels:
Preview file
961 KB
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎10-30-2010 08:38 PM

Hi,

When you use digital certificates the ASA requires a key pair first.

The default pair of keys (or a new set) are required to send the public key in the certificate request to the CA.

This RSA keys can be used to authenticate the VPN connection (Site-to-Site IPsec or client-based IPsec or SSL) connections as well as to accept SSH connections.

Every device participating in PKI will send and make its public key available and will keep its private key privately.

If another device/user wants to send data to this one, it will use the public key to encrypt the data and only the corresponding receiver can decrypt the data with the private key (corresponding to the public key used to encrypt the data).

Just as a note, the ASA supports a Local CA functionality as well.

So, you can use an external CA server or the ASA itself can server as a basic CA server.

The ASA supports SCEP or manual certificate enrollments/requests.

In your case using SSL VPN client connections to the ASA and using Verisign as the CA entity your understanding is correct.

Federico.

0 Helpful

hanwucisco
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-01-2010 01:22 PM

There are a couple of type of certificates under Remote Access VPN. One is CA certificate, the other is Identity Certificates. In the scenario I described, is the VeriSign’s public key stored under Identity or CA certificates? How about my ASA, where are its pair stored?

Thanks,

Han

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to hanwucisco

‎11-01-2010 05:47 PM

To check the public keys associated with your device you can use the command:

sh cry key mypubkey rsa

You can check them on ASDM as well but I don't have the GUI right now.

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents