Within this tutorial we will show you the nessecary steps in configuring your ASA as a CA server.
Table of Contents
Time/Date
First of all we set the time and date.
asa-skyn3t(config)# show clock
08:05:40.249 UTC Sun Sep 30 2012
Enable CA
Next we enable the ASA as a CA server.
asa-skyn3t(config)# crypto ca server
asa-skyn3t(config-ca-server)# subject-name-default cn=skyn3tca, o=skyn3t, c=UK
asa-skyn3t(config-ca-server)# no shutdown
% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: **********
Re-enter passphrase: **********
Keypair generation process begin. Please wait…
Completed generation of the certificate and keypair…
Archiving certificate and keypair to storage… Complete
INFO:
Certificate Server enabled.
Remove
If at any point you need to clear the CA server configuration from your ASA, the following commands are used.
asa-skyn3t(config)# clear configure crypto ca server
INFO: Local CA Server has been removed.
Enable Web Access
Next we enable webaccess.
asa-skyn3t(config)# webvpn
asa-skyn3t(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on ‘inside’.
Create User Certificate
We then create a certificate for ‘user1’. This then provides us with the One Time Password that we can use shortly to download the certificate.
asa-skyn3t(config)# crypto ca server user-db add user1
asa-skyn3t(config)# crypto ca server user-db allow user1 display-otp
Username: user1
OTP: 609A014A394E4F98
Enrollment Allowed Until: 08:07:25 UTC Wed Oct 3 2012
Download Certificate
Next, download the certificate via a browser by going to https://<ASA IP/HOSTNAME>/+CSCOCA+/login.html and using the previously supplied One Time Password.
Show CA User Database
To confirm that the user enrollment details the following show command is used,
asa-skyn3t# sh crypto ca server user-db
username: user1
email: <None>
dn: <None>
allowed: 08:07:25 UTC Wed Oct 3 2012
notified: 1 times
enrollment status: Enrolled, Certificate valid until 08:10:13 UTC Mon Sep 30 2013,
Renewal: Allowed
Install / Test Certificate
As you will appreciate there are a number of VPN methods and ways that you can use the previously created user certificate.
A quick way to test your certificate is to try and connect using WebVPN.
Here are the steps:
1. Import the downloaded certificate into your web browsers certificate store.
2. Change the ASA default WebVPN group to certificate based authentication.
asa-skyn3t(config)# tunnel-group DefaultWEBVPNGroup webvpn-attributes
asa-skyn3t(config-tunnel-webvpn)# authentication certificate
asa-skyn3t(config-tunnel-webvpn)# exit
3. Connect to WebVPN via https://<ASA> IP/HOSTNAME>
4. Your browser will then ask you to choose a digital certificate to authenticate with.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial