Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member


We have an ASA that configured as SSL portal. It has VeriSign as CA. I am wondering how the keys work.

My understanding is that, ASA sends its certificates with its public key to VeriSign. VeriSign then sends it to the user and encrypted with its private key. When the user gets it, it uses VeriSign’s public key to decrypt it and gets ASA’s public key.

The opposite happens and ASA gets user’s public key.

From then on, user and SSL start to communicate.

Is my understanding right?




Re: Keys


When you use digital certificates the ASA requires a key pair first.

The default pair of keys (or a new set) are required to send the public key in the certificate request to the CA.

This RSA keys can be used to authenticate the VPN connection (Site-to-Site IPsec or client-based IPsec or SSL) connections as well as to accept SSH connections.

Every device participating in PKI will send and make its public key available and will keep its private key privately.

If another device/user wants to send data to this one, it will use the public key to encrypt the data and only the corresponding receiver can decrypt the data with the private key (corresponding to the public key used to encrypt the data).

Just as a note, the ASA supports a Local CA functionality as well.

So, you can use an external CA server or the ASA itself can server as a basic CA server.

The ASA supports SCEP or manual certificate enrollments/requests.

In your case using SSL VPN client connections to the ASA and using Verisign as the CA entity your understanding is correct.


New Member

Re: Keys

There are a couple of type of certificates under Remote Access VPN. One is CA certificate, the other is Identity Certificates. In the scenario I described, is the VeriSign’s public key stored under Identity or CA certificates? How about my ASA, where are its pair stored?



Re: Keys

To check the public keys associated with your device you can use the command:

sh cry key mypubkey rsa

You can check them on ASDM as well but I don't have the GUI right now.


CreatePlease to create content