Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL VPN using MS CA

I'm working on deploying AnyConnect SSL VPN and am looking to secure the connection with a certificate that is NOT provided by the ASA's internal CA or a 3rd party. What I would like to do is have our domain CA (MS) sign off on the certificate - that way all laptop users who connect to VPN will accept the certificate without prompting.

Is there any kind of Cisco document that outlines this specific case? I've looked at Cisco configuration documents that show:
- manually install 3rd party vendor certs for SSL VPN (ie. Verisign)

- obtain digital certificates for ASA from an MS CA (this only issues IPSec certificates for users - the ASA throws an error about the EKU not specifying the server authentication role)

- renew/install the SSL certificate with ADSM (only applies to self-signed certs)

- reviewed the anyconnect administrator guide

I found two similar posts in the Community, but there is no definitive answer from anyone as to whether or not this is possible.

https://supportforums.cisco.com/message/259286#259286

https://supportforums.cisco.com/message/1324901#1324901

I would appreciate any feedback. I may have to end up copying the ASA self-signed certificate to all VPN user laptops :S

Greg

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: SSL VPN using MS CA

You treat the SSL VPN like a web server.. Create a 3rd party signing request, load it on your MS CA and select the webserver profile... You will need both the CA cert and the identification cert. You load the CA cert first then the identity cert.

You then attach the cert to an interface.

I did this on my internal interface so that the customization pages would stop giving me cert errors in my browser.. I went with a proper public 3rd party cert for the external interface since I expect none domain machines to connect, and telling users how to install certs is a pain.

2 REPLIES
New Member

Re: SSL VPN using MS CA

You treat the SSL VPN like a web server.. Create a 3rd party signing request, load it on your MS CA and select the webserver profile... You will need both the CA cert and the identification cert. You load the CA cert first then the identity cert.

You then attach the cert to an interface.

I did this on my internal interface so that the customization pages would stop giving me cert errors in my browser.. I went with a proper public 3rd party cert for the external interface since I expect none domain machines to connect, and telling users how to install certs is a pain.

New Member

Re: SSL VPN using MS CA

I ended up following "ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example" (Document ID: 100413) and the advice to choose the 'webserver' profile when selecting which certificate type I wanted. I also had to ensure that the 'advanced' tab (when generating the CSR on the ASA) was giving the proper external DNS answer and not the internal name.

2083
Views
0
Helpful
2
Replies