fir3net
PPS-Firenetbanner-780.5x190-30-03-17

How to configure your ASA as a CA Server

Within this tutorial we will show you the nessecary steps in configuring your ASA as a CA server.

Time/Date

First of all we set the time and date. 

asa-skyn3t(config)# show clock
08:05:40.249 UTC Sun Sep 30 2012

Enable CA

Next we enable the ASA as a CA server. 

asa-skyn3t(config)# crypto ca server
asa-skyn3t(config-ca-server)# subject-name-default cn=skyn3tca, o=skyn3t, c=UK
asa-skyn3t(config-ca-server)# no shutdown

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: **********

Re-enter passphrase: **********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
INFO:
Certificate Server enabled.

Remove

 If at any point you need to clear the CA server configuration from your ASA, the following commands are used.

asa-skyn3t(config)# clear configure crypto ca server
INFO: Local CA Server has been removed. 

Enable Web Access

Next we enable webaccess. 

asa-skyn3t(config)#  webvpn
asa-skyn3t(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on 'inside'. 

Create User Certificate

We then create a certificate for 'user1'. This then provides us with the One Time Password that we can use shortly to download the certificate.  

asa-skyn3t(config)# crypto ca server user-db add user1
asa-skyn3t(config)# crypto ca server user-db allow user1 display-otp

Username: user1
OTP: 609A014A394E4F98
Enrollment Allowed Until: 08:07:25 UTC Wed Oct 3 2012

Download Certificate

Next, download the certificate via a browser by going to https://<ASA IP/HOSTNAME>/+CSCOCA+/login.html and using the previously supplied One Time Password. 

Show CA User Database

To confirm that the user enrollment details the following show command is used, 

asa-skyn3t#  sh crypto ca server user-db
username: user1
email:    <None>
dn:       <None>
allowed:  08:07:25 UTC Wed Oct 3 2012
notified: 1 times
enrollment status: Enrolled, Certificate valid until 08:10:13 UTC Mon Sep 30 2013,
Renewal: Allowed

Install / Test Certificate 

As you will appreciate there are a number of VPN methods and ways that you can use the previously created user certificate.

A quick way to test your certificate is to try and connect using WebVPN.

Here are the steps:

  1. Import the downloaded certificate into your web browsers certificate store.
  2. Change the ASA default WebVPN group to certificate based authentication.  

asa-skyn3t(config)# tunnel-group DefaultWEBVPNGroup webvpn-attributes
asa-skyn3t(config-tunnel-webvpn)# authentication certificate
asa-skyn3t(config-tunnel-webvpn)# exit

  3. Connect to WebVPN via https://<ASA> IP/HOSTNAME>
  4. Your browser will then ask you to choose a digital certificate to authenticate with. 

Tags: ASA

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001