Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Type of certificate to get for ASA IPSEC VPN

Hello all,

 

I'm looking to set up an IPSec VPN connection that will authenticate its users by certificate only. I've set everything up successfully with AAA local login, but am looking to convert to a signed certificate and generate user certs for users not part of an enterprise or Active Directory. 

 

So here's my question. What kind of certificate am I buying (lets say from Verisign aka Symantec)? And If I only want to use this certificate for my VPN and its clients, can I install it on the Cisco ASA and generate user certificates there or should I set up a Windows Server with Certificate Authority and create all the certificates on that machine?

 

My goal is to install the AnyConnect 3.1.x agent on the user's laptop, install the user certificate myself. No webVPN or work on the user's  behalf. I've tried the local CA in the ASA in a dev environment, but have had no luck so I figured I'd just go to a proper signed one right away.

 

Thanks in advance,

_J

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

> Do you think I should have

Do you think I should have a 3rd party signed certificate

If the VPN is not only used for internal staff, then always go for a public certificate. If you ask other users to install your root-certificate, you ask them to allow you to be a man in the middle for all their traffic. That's nothing that should be done.

The enrollment is typically just to configure the trustpoint and install the certificate. It's very likely that the CA uses an intermediate CA, so that you should install that also. (very ofteh the CAs have howtos for various platforms).

>I'm still learning here so I apologize if my questions seem amateur.

And be assured, the learning will never stop ... :-)

 

3 REPLIES
VIP Purple

In a small scale deployment

In a small scale deployment you typically don't use certificates from a public CA. Just imagine that by default your ASA would accept anyone with a cert from that CA what is probably not what you want. You could solve that with certificate maps, but that's not what they are designed for.

So you have a couple of choices:

  1. Use the CA on the ASA. Although you didn't have luck with that it generally works and if you want to try that way again, just open another thread for that. One big drawback of the ASA-internal CA is that Failover is not supported. If you want to deploy HA now or later, the internal CA is not the way to go.
  2. Use an IOS router with security license as a CA-server. A couple of times I used spare ISRs that were replaced against ISR G2. These make a great CA. For maximum flexibility an IOS 15.2 is needed which is not available on the 1st Gen ISR, but still a possible way. An IOS-router is nowaday my favorite when dealing with certificates for site-to-site VPNs.
  3. All Windows Server come with a CA. One drawback is that the most often used Windows version (2008) has to be the enterprise version if you want to use any form of automatic enrollment (SCEP). If you can use a Windows 2012R2, that gives a great CA for your users. I prefer this for client-certificates although I don't use them really often. (My typical choice is AD-useraccount and a token as a second factor).
  4. I heard good things of Dogtag CA, which is based on Linux. I still have it on my list to test it so I don't have any experience with that: 
    http://fedoraproject.org/wiki/Features/DogtagCertificateSystem
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116237-configure-dogtag-00.html
Community Member

Thank you Karsten, that

Thank you Karsten, that definitely poiunts me in the right direction with user certificates. I've set up Certificate Services in a dev environment on Server 2008 R2 before, but I noww have licenses for 2012 so I will use that. HA isn't in plans now, but may be in the future. 

Do you think I should have a 3rd party signed certificate so the users do not see the "This server is not trusted" warning? Some of the users will not be under my administration so I would have to send them my Root Cert and hope their local tech can install it properly on their end. A signed cert for the connection wouldn't be much work would it? Just add that as the Trust Point certificate no?

I'm still learning here so I apologize if my questions seem amateur. I'm kind of the Jack of all trades here with training hopefully to come by the fall. 

Thanks again,

_J

 

VIP Purple

> Do you think I should have

Do you think I should have a 3rd party signed certificate

If the VPN is not only used for internal staff, then always go for a public certificate. If you ask other users to install your root-certificate, you ask them to allow you to be a man in the middle for all their traffic. That's nothing that should be done.

The enrollment is typically just to configure the trustpoint and install the certificate. It's very likely that the CA uses an intermediate CA, so that you should install that also. (very ofteh the CAs have howtos for various platforms).

>I'm still learning here so I apologize if my questions seem amateur.

And be assured, the learning will never stop ... :-)

 

331
Views
0
Helpful
3
Replies
CreatePlease to create content