How do you setup a Cisco ASA SSL VPN using a CA supplied cert?
You need three things here.
- The new certificate – vpn.ianh.net.au.crt.
- The new certificate’s key – vpn.ianh.net.au.key.
- The new certificate’s CA bundle, including any intermediate certificates – vpn.ianh.net.au.ca-bundle.
First we combine the certificate and key into a base 64 encoded PKCS12 file, with a password of ‘areallystrongpassword’. This password is only required during the import process, we delete the file once the import is complete.
ianh@linux:~/cert$ openssl pkcs12 -CAfile vpn.ianh.net.au.ca-bundle -in vpn.ianh.net.au.crt -inkey vpn.ianh.net.au.key -nodes -export -out vpn.ianh.net.au.p12 Enter Export Password: areallystrongpassword Verifying - Enter Export Password: areallystrongpassword ianh@linux:~/cert$ openssl base64 -in vpn.ianh.net.au.p12 -out vpn.ianh.net.au.b64p12 ianh@linux:~/cert$ cat vpn.ianh.net.au.b64p12 ***lots of cert, copy this output to clipboard for next step***
Then we create a new trust point on the ASA pasting in the base 64 armoured PKCS12 certificate file.
asa(config)# cry ca trustpoint VPN asa(config-ca-trustpoint)# en term asa(config-ca-trustpoint)# cry ca import VPN pass areallstrongpasword Enter the base 64 encoded pkcs12. End with the word "quit" on a line by itself: ***paste cert here*** quit INFO: Import PKCS12 operation completed successfully
Then we add the CA bundle (yes, you do have to do ‘en term’ again):
asa(config)# cry ca trustpoint VPN asa(config-ca-trustpoint)# en term asa(config-ca-trustpoint)# cry ca authenticate VPN Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself ***Paste CA bundle here*** quit INFO: Certificate has the following attributes: Fingerprint: 83ea0465 b722ed33 ff0b4f53 5e1d396b Do you accept this certificate? [yes/no]: yes Trustpoint 'VPN' is a subordinate CA and holds a non self-signed certificate. Trustpoint CA certificate accepted. % Certificate successfully imported asa(config)# exit asa#
If this is a replacement certificate, you may need to point wevpn/DTLS to the new trust point.
asa(config-webvpn)#no ssl trust-point VPN outside asa(config-webvpn)#ssl trust-point VPN outside
Then you need to save the config to force the DTLS process to look at the new certificate.
asa# wr Building configuration... Cryptochecksum: 1c43aaba fbb00b48 2b771bef e5a3598d 154662 bytes copied in 0.890 secs [OK] asa#
Don’t forget to delete the certificate files from your workspace to keep them secure.
ianh@linux:~/cert$ rm vpn.ianh.net.au.crt vpn.ianh.net.au.key vpn.ianh.net.au.ca-bundle vpn.ianh.net.au.p12 vpn.ianh.net.au.b64p12