Re: Remote access VPN - certificates from different CA's?

ruslakarfa · ‎02-27-2009

I want to configure a Cisco ASA box to accept remote access VPN clients using certificates from a third party CA. My ASA has an identity certificate from another CA. Is this possible without getting an identity certificate from the new CA?

In other words, is it possible to authenticate clients with certificates from CA#1 if my ASA has an identity certificate from CA#2? Does it make a difference if WebVPN is used or the regular VPN Client?

auraza · ‎02-27-2009

The certificate you received from the 3rd party CA will most likely be used for your SSL connections (WebVPN).

To do certificate authentication, you would be best off by using an internal CA, that issues an ID cert to your ASA (under a different trustpoint), and to your users from that same CA. Remember, your ASA can hold multiple certificates (like a certificate store on Windows). Here is an example that shows you how to do certificate authentication for VPN Clients using a Microsoft CA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

Ivan Martinon · ‎02-27-2009

If you have Different CA's on each vpn talker the connection will not work unless they are subordinates of a Root Authority, At least you need to have a common CA on the devices, I belive that having the VPN Client sending the whole chain will help you out a litle bit yet it will be better for you to have both client and ASA enrolled to the same CA.