Within this tutorial we will show you the nessecary steps in configuring your ASA as a CA server.
First of all we set the time and date.
asa-skyn3t(config)# show clock
08:05:40.249 UTC Sun Sep 30 2012
Next we enable the ASA as a CA server.
asa-skyn3t(config)# crypto ca server
asa-skyn3t(config-ca-server)# subject-name-default cn=skyn3tca, o=skyn3t, c=UK
asa-skyn3t(config-ca-server)# no shutdown
% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Re-enter passphrase: **********
Keypair generation process begin. Please wait…
Completed generation of the certificate and keypair…
Archiving certificate and keypair to storage… Complete
Certificate Server enabled.
If at any point you need to clear the CA server configuration from your ASA, the following commands are used.
asa-skyn3t(config)# clear configure crypto ca server
INFO: Local CA Server has been removed.
Enable Web Access
Next we enable webaccess.
asa-skyn3t(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on ‘inside’.
Create User Certificate
We then create a certificate for ‘user1’. This then provides us with the One Time Password that we can use shortly to download the certificate.
asa-skyn3t(config)# crypto ca server user-db add user1
asa-skyn3t(config)# crypto ca server user-db allow user1 display-otp
Enrollment Allowed Until: 08:07:25 UTC Wed Oct 3 2012
Next, download the certificate via a browser by going to https://<ASA IP/HOSTNAME>/+CSCOCA+/login.html and using the previously supplied One Time Password.
Show CA User Database
To confirm that the user enrollment details the following show command is used,
asa-skyn3t# sh crypto ca server user-db
allowed: 08:07:25 UTC Wed Oct 3 2012
notified: 1 times
enrollment status: Enrolled, Certificate valid until 08:10:13 UTC Mon Sep 30 2013,
Install / Test Certificate
As you will appreciate there are a number of VPN methods and ways that you can use the previously created user certificate.
A quick way to test your certificate is to try and connect using WebVPN.
Here are the steps:
1. Import the downloaded certificate into your web browsers certificate store.
2. Change the ASA default WebVPN group to certificate based authentication.
asa-skyn3t(config)# tunnel-group DefaultWEBVPNGroup webvpn-attributes
asa-skyn3t(config-tunnel-webvpn)# authentication certificate
3. Connect to WebVPN via https://<ASA> IP/HOSTNAME>
4. Your browser will then ask you to choose a digital certificate to authenticate with.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial