How to install certificates on ASA 5505?

Hi there!

Question is following - what is the easiest(free) way to install a certificate on ASA 5505? I want to use certificate authentication, when connecting to RA tunnel(using Cisco VPN client). I tried to follow this manual->
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdmcer.html
but there is one problem - automatic enrollment. Do I need my own SCEP server(along MS Server 2003)? Maybe there is some other, more user-friendly way to get this thing work?

I will appreciate any tips, both GUI and CLI.

P.S. I don't need any fancy stuff - just the simplest one! Thanks!
dienaszaglisAsked:
Who is Participating?
 
bignewfCommented:

Here is the initial setup for the CA:

http://www.microsoft.com/technet/serviceproviders/wbh4_5/CMSU_CM_DW_PROC_Deploy_Windows_Server_2003_Certificate_Services_on_the_Primary_Domain_Controller.mspx?mfr=true

And here is a picture guide also:
http://articles.techrepublic.com.com/5100-10878_11-5098465.html
and I am uploading another word doc

this should get you going, and let me know if you still need help with this
Windows-Server-2003-CA-deploymen.doc
0
 
bignewfCommented:
First, are you using microsoft CA's, or a third party CA?

While microsoft self-signed CA's are free (if you have the server licenses) 3rd party certs are the most secure and the root ca is trusted.
I will give you instructions, just let me know what type of cert you are using. The csr request is generated from the asa, and sent to a CA.
The beauty of 3rd party certs  (they are not free) is you don't have to bother with a cert server

The choice becomes budget and your organizations security requirements
0
 
dienaszaglisAuthor Commented:
From my understanding - there are no free way to install certificates? Both 3rd party and MS Server will cost some $, right? If so, please, give me instructions for microsoft self-signed CA's. Thank you!
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
dienaszaglisAuthor Commented:
How about open-source? openSSL can`t help me?
0
 
bignewfCommented:
If you are running windows server 2003, 2008, then you have to install certificate services.  There would be no additional cost as long as you have the right number oc CAL's (client access licenses) for the amount of clients you are running on the network.


The ASA generally works best with 3rd part certs. I use digicert and never have issues, and they are secure
I will check for compatibility for microsoft self-signed ca's.  The asa uses SSL certs
0
 
dienaszaglisAuthor Commented:
Well, I got Server 2003 for testing purposes. What is the logical sequence to install CA on ASA? At first, I need to create a trustpoint and certificate request on ASA, right? Then, next step should be on the certificate server side?

That would be really nice to get step-by-step instructions/manuals.

Thanks again!

P.S. sorry for my bad english
0
 
dienaszaglisAuthor Commented:
Anyone?
0
 
bignewfCommented:
I need to verify whether a microsoft ca will work on an asa device. I have seen issues with these on ASA's - I will get back to you soon on this

thanks
0
 
bignewfCommented:
This article is what you want from cisco. It gives you a step by step guide using the asdm gui in the asa to either use  a microsoft ca or a self-signed cert from the asa itself.

I will be sending you a link for the setup of the microsoft ca
ASA-cert.pdf
0
 
dienaszaglisAuthor Commented:
Thanks!

I will be waiting for the ca server side manual!

0
 
bignewfCommented:
Here is another picture step by step to adminsiter windows 2003 PKI  (managing the certs)
Administering-Windows-2003-PKI.doc
0
 
dienaszaglisAuthor Commented:
Thanks again!

I will post my progress asap!

0
 
dienaszaglisAuthor Commented:
Automatic enrollment did not work - warning was: unable to receive certificate. Maybe url is wrong? Mine is : http://vea/certsrv/mscep/mscep.dll
The same message occurs, when the url is blank or clearly wrong.

This seems to difficult to manage. Probably 3rd party certs are the only answer...
0
 
DonbooCommented:
Does http://vea/certsrv/mscep/mscep.dll in a browser turns up blank if so then something is wrong with your CA/SCEP. When you enroll via SCEP you need to access that URL first in a browser to get the challenge key from SCEP to authenticate the CA trustpoint and get a identity certificate. When you have that key you have 60 min to enroll a certificate on the ASA.

If you follow the guide use the key in step 4.
0
 
dienaszaglisAuthor Commented:
url from my browser IS working, but automatic enrollement is not! Maybe I can do this manually? Is there any manuals for manual enrollment? I tried everything by myself on ASA and CA server, no success.

Anyway, what is the correct order to do this manually? What exactly should I do on the CA server side and the ASA?
0
 
DonbooCommented:

Hace you made sure the ASA is using a DNS the knows the domain name vea? else use the IP address of the CA instead.

I have configured this a few times with SCEP and it works perfectly.

Anyways here is a guide for manually enrollment should you find that approach easier..
http://www.scribd.com/doc/6654228/ASA-PIX-7
0
 
dienaszaglisAuthor Commented:
How can I set IP address for CA server? I tried to use IIS Manager, I did set IP adress for the Default Web Site(cert server), but when I opened it, there was just a blank web-page.

Well, I will try the manual enrollment.
0
 
DonbooCommented:
instead of using http://vea/certsrv/mscep/mscep.dll use http://"IP address of CA"/certsrv/mscep/mscep.dll

Let us know how the manual enrollment turns out.
0
 
dienaszaglisAuthor Commented:
Well, it seems that automatic enrollment works for me - I can see certificates in the Certificate Management window. Status shows, that they are available(not pending). But when I try to setup remote access VPN, there still is no trustpoint in that list to select from... any ideas?

 
0
 
bignewfCommented:
how are you importing the certificate in the vpn client? manually?
what certificates show in the list?
0
 
bignewfCommented:
Also, did you manually import the root certificate?
0
 
dienaszaglisAuthor Commented:
bignewf - I did not get that far, at first I need to configure VPN tunel on the ASA. In the VPN wizard I can not select any trustpoints, because that list is empty.

Same result for manual enrollment - in the management window everything seems fine, but there still is no trustpoints to select from(in the VPN wizard).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.