?
Solved

How to install certificates on ASA 5505?

Posted on 2009-02-09
22
Medium Priority
?
6,141 Views
Last Modified: 2012-05-06
Hi there!

Question is following - what is the easiest(free) way to install a certificate on ASA 5505? I want to use certificate authentication, when connecting to RA tunnel(using Cisco VPN client). I tried to follow this manual->
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdmcer.html
but there is one problem - automatic enrollment. Do I need my own SCEP server(along MS Server 2003)? Maybe there is some other, more user-friendly way to get this thing work?

I will appreciate any tips, both GUI and CLI.

P.S. I don't need any fancy stuff - just the simplest one! Thanks!
0
Comment
Question by:dienaszaglis
  • 11
  • 8
  • 3
22 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 23596058
First, are you using microsoft CA's, or a third party CA?

While microsoft self-signed CA's are free (if you have the server licenses) 3rd party certs are the most secure and the root ca is trusted.
I will give you instructions, just let me know what type of cert you are using. The csr request is generated from the asa, and sent to a CA.
The beauty of 3rd party certs  (they are not free) is you don't have to bother with a cert server

The choice becomes budget and your organizations security requirements
0
 

Author Comment

by:dienaszaglis
ID: 23598681
From my understanding - there are no free way to install certificates? Both 3rd party and MS Server will cost some $, right? If so, please, give me instructions for microsoft self-signed CA's. Thank you!
0
 

Author Comment

by:dienaszaglis
ID: 23598972
How about open-source? openSSL can`t help me?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 15

Expert Comment

by:bignewf
ID: 23602605
If you are running windows server 2003, 2008, then you have to install certificate services.  There would be no additional cost as long as you have the right number oc CAL's (client access licenses) for the amount of clients you are running on the network.


The ASA generally works best with 3rd part certs. I use digicert and never have issues, and they are secure
I will check for compatibility for microsoft self-signed ca's.  The asa uses SSL certs
0
 

Author Comment

by:dienaszaglis
ID: 23603533
Well, I got Server 2003 for testing purposes. What is the logical sequence to install CA on ASA? At first, I need to create a trustpoint and certificate request on ASA, right? Then, next step should be on the certificate server side?

That would be really nice to get step-by-step instructions/manuals.

Thanks again!

P.S. sorry for my bad english
0
 

Author Comment

by:dienaszaglis
ID: 23605957
Anyone?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 23607098
I need to verify whether a microsoft ca will work on an asa device. I have seen issues with these on ASA's - I will get back to you soon on this

thanks
0
 
LVL 15

Expert Comment

by:bignewf
ID: 23607153
This article is what you want from cisco. It gives you a step by step guide using the asdm gui in the asa to either use  a microsoft ca or a self-signed cert from the asa itself.

I will be sending you a link for the setup of the microsoft ca
ASA-cert.pdf
0
 

Author Comment

by:dienaszaglis
ID: 23607186
Thanks!

I will be waiting for the ca server side manual!

0
 
LVL 15

Accepted Solution

by:
bignewf earned 1500 total points
ID: 23607214

Here is the initial setup for the CA:

http://www.microsoft.com/technet/serviceproviders/wbh4_5/CMSU_CM_DW_PROC_Deploy_Windows_Server_2003_Certificate_Services_on_the_Primary_Domain_Controller.mspx?mfr=true

And here is a picture guide also:
http://articles.techrepublic.com.com/5100-10878_11-5098465.html
and I am uploading another word doc

this should get you going, and let me know if you still need help with this
Windows-Server-2003-CA-deploymen.doc
0
 
LVL 15

Expert Comment

by:bignewf
ID: 23607235
Here is another picture step by step to adminsiter windows 2003 PKI  (managing the certs)
Administering-Windows-2003-PKI.doc
0
 

Author Comment

by:dienaszaglis
ID: 23607260
Thanks again!

I will post my progress asap!

0
 

Author Comment

by:dienaszaglis
ID: 23614806
Automatic enrollment did not work - warning was: unable to receive certificate. Maybe url is wrong? Mine is : http://vea/certsrv/mscep/mscep.dll
The same message occurs, when the url is blank or clearly wrong.

This seems to difficult to manage. Probably 3rd party certs are the only answer...
0
 
LVL 9

Expert Comment

by:Donboo
ID: 23616257
Does http://vea/certsrv/mscep/mscep.dll in a browser turns up blank if so then something is wrong with your CA/SCEP. When you enroll via SCEP you need to access that URL first in a browser to get the challenge key from SCEP to authenticate the CA trustpoint and get a identity certificate. When you have that key you have 60 min to enroll a certificate on the ASA.

If you follow the guide use the key in step 4.
0
 

Author Comment

by:dienaszaglis
ID: 23616479
url from my browser IS working, but automatic enrollement is not! Maybe I can do this manually? Is there any manuals for manual enrollment? I tried everything by myself on ASA and CA server, no success.

Anyway, what is the correct order to do this manually? What exactly should I do on the CA server side and the ASA?
0
 
LVL 9

Expert Comment

by:Donboo
ID: 23617117

Hace you made sure the ASA is using a DNS the knows the domain name vea? else use the IP address of the CA instead.

I have configured this a few times with SCEP and it works perfectly.

Anyways here is a guide for manually enrollment should you find that approach easier..
http://www.scribd.com/doc/6654228/ASA-PIX-7
0
 

Author Comment

by:dienaszaglis
ID: 23617520
How can I set IP address for CA server? I tried to use IIS Manager, I did set IP adress for the Default Web Site(cert server), but when I opened it, there was just a blank web-page.

Well, I will try the manual enrollment.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 23617785
instead of using http://vea/certsrv/mscep/mscep.dll use http://"IP address of CA"/certsrv/mscep/mscep.dll

Let us know how the manual enrollment turns out.
0
 

Author Comment

by:dienaszaglis
ID: 23618283
Well, it seems that automatic enrollment works for me - I can see certificates in the Certificate Management window. Status shows, that they are available(not pending). But when I try to setup remote access VPN, there still is no trustpoint in that list to select from... any ideas?

 
0
 
LVL 15

Expert Comment

by:bignewf
ID: 23618417
how are you importing the certificate in the vpn client? manually?
what certificates show in the list?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 23618442
Also, did you manually import the root certificate?
0
 

Author Comment

by:dienaszaglis
ID: 23620587
bignewf - I did not get that far, at first I need to configure VPN tunel on the ASA. In the VPN wizard I can not select any trustpoints, because that list is empty.

Same result for manual enrollment - in the management window everything seems fine, but there still is no trustpoints to select from(in the VPN wizard).
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month15 days, 14 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question