Configured the site-to-site VPN with digital certificate and Microsoft CA.
Some things are not celar to me.
1. When a CSR is generated it is signed by the private key generated by ASA. This CSR is sent to Microsoft CA to generate the Identity certificate.
2. When we are giving the this request to Microsoft CA it is encrypted by private key and we are not sharing the public key with Microsoft CA not clear about how CA will decide that the this request is true and coming from the legitimate user and is original?
3. If CA is not able to decrypt the CSR request how it can give us the Identity certificate?
4.If CA assumes that CSR is true and original it generates the identity certificate on the CSR ( which is a scrambled data ).
5. We will install the Identity certificate and also the CA certificate which is CA public key on ASA.
When Certificates are exchanged what can be verified from the received certificate ? Only thing we specify in the ASA is the peer IP address. There is nothing more than this in the ASA which it can check with the received certificate. Or is there anything else that can be checked to see that the certificate which we have received is from the correct ASA with which we are peering with.
Please check the following URL on cisco's website which tells how to configure the vpn with certificate but at step 7 of the configuration of site-to-site VPN it tells that we are using pre-shared key insted of certificate.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...