Thursday, 11 February 2016

Setting up and configuring an identity certificate on the ASA

I  want to demonstrate three scenerios:

- A: Where we need to generate a self-signed certificate

The following command generates a new RSA key
crypto key generate rsa label ssl-vpn-key modulus 2048

We should then create a 'trustpoint' (this is simply a container that holds certificates):
crypto ca trustpoint localtrust

And then set the certificate type
enrollment self

Specify the FQDN:
fqdn mysslvpn.test.internal

Specify the subject:
subject-name CN=mysslvpn.test.internal

Specify the private key:
keypair ssl-vpn-key

Enroll the trustpoint:
crypto ca enroll localtrust

and finally apply the trustpoint to the interface:
ssl trust-point localtrust outside

To review any trustpoint configurations we can issue:
show ssl

- B: Where we need to apply a certificate from a public CA (or local CA like AD Certificate Authority)

The following command generates a new RSA key
crypto key generate rsa label ssl-vpn-key modulus 2048

We should then create a 'trustpoint' (this is simply a container that holds certificates):
crypto ca trustpoint publictrust

And then set the certifcate type (in this case we want it to be in interactive mode so we can copy the CSR)
enrollment terminal

Specify the FQDN:
fqdn mysslvpn.mydomain.com

Specify the subject:
subject-name CN=mysslvpn.mydomain.com

Specify the private key:
keypair ssl-vpn-key

Enroll the trustpoint:
crypto ca enroll publictrust

This will then generate the CSR we can copy and paste to our public CA portal from the terminal.

Once we have a certificate from our CA - we should then proceed to get hold of the Root Certificate and intermediary certificates and export them to BASE64 format - we should then copy all of them (chained) into the terminal:

crypto ca authenticate publictrust

Finally we should then proceed by importing the identity certificate with:

crypto ca authenticate publictrust certificate

(again BASE64 needed)

To review any trustpoint configurations we can issue:
show ssl

** Import a CA root certificate:

Backing up / exporting SSL certificates:

We can generate a PCKS12 file (includes both private and public key) using something like:
crypto ca export publictrust pkcs12 NotAStrongPassword

0 comments:

Post a comment