We have an ASA that configured as SSL portal. It has VeriSign as CA. I am wondering how the keys work.
My understanding is that, ASA sends its certificates with its public key to VeriSign. VeriSign then sends it to the user and encrypted with its private key. When the user gets it, it uses VeriSign’s public key to decrypt it and gets ASA’s public key.
The opposite happens and ASA gets user’s public key.
When you use digital certificates the ASA requires a key pair first.
The default pair of keys (or a new set) are required to send the public key in the certificate request to the CA.
This RSA keys can be used to authenticate the VPN connection (Site-to-Site IPsec or client-based IPsec or SSL) connections as well as to accept SSH connections.
Every device participating in PKI will send and make its public key available and will keep its private key privately.
If another device/user wants to send data to this one, it will use the public key to encrypt the data and only the corresponding receiver can decrypt the data with the private key (corresponding to the public key used to encrypt the data).
Just as a note, the ASA supports a Local CA functionality as well.
So, you can use an external CA server or the ASA itself can server as a basic CA server.
The ASA supports SCEP or manual certificate enrollments/requests.
In your case using SSL VPN client connections to the ASA and using Verisign as the CA entity your understanding is correct.
There are a couple of type of certificates under Remote Access VPN. One is CA certificate, the other is Identity Certificates. In the scenario I described, is the VeriSign’s public key stored under Identity or CA certificates? How about my ASA, where are its pair stored?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :