02-27-2009 08:34 AM - edited 02-21-2020 04:09 PM
I want to configure a Cisco ASA box to accept remote access VPN clients using certificates from a third party CA. My ASA has an identity certificate from another CA. Is this possible without getting an identity certificate from the new CA?
In other words, is it possible to authenticate clients with certificates from CA#1 if my ASA has an identity certificate from CA#2? Does it make a difference if WebVPN is used or the regular VPN Client?
02-27-2009 09:04 AM
The certificate you received from the 3rd party CA will most likely be used for your SSL connections (WebVPN).
To do certificate authentication, you would be best off by using an internal CA, that issues an ID cert to your ASA (under a different trustpoint), and to your users from that same CA. Remember, your ASA can hold multiple certificates (like a certificate store on Windows). Here is an example that shows you how to do certificate authentication for VPN Clients using a Microsoft CA:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
02-27-2009 11:45 AM
If you have Different CA's on each vpn talker the connection will not work unless they are subordinates of a Root Authority, At least you need to have a common CA on the devices, I belive that having the VPN Client sending the whole chain will help you out a litle bit yet it will be better for you to have both client and ASA enrolled to the same CA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide