Sunday, December 27, 2009

Free SSL Cert on Cisco ASA for WebVPN - Anyconnect

So I received a nice article on How to obtain and install an SSL/TLS certificate, for free.  The site  describes how to acquire a Class 1 certificate at no cost.  Basically, a Class 1 cert only validates a legal email on the domain.  Your traffic will be encrypted though.  

The instruction below is how to apply and use the free certificate on the Cisco ASA firewall not how to create the anyconnect configuration.

StartSSL uses an S/MIME personal certificate to let you log in after sign-up.  You will create this certificate and one other for free.

Start at the Authenticate or Sign-Up page.
Create Account for your domain. 
Log into account
You'll see 3 options
Tool Box, Certificates Wizard, Validations Wizard.
Pick Validations Wizard and change drop down time to Domain Name Validation.
Fill out domain name, press continue.
Pick email address to get validation key.  Follow instructions.

Go to Certificates Wizard.
Pick Web Server SSL/TLS Certificate for Certificate Target
Generate Private Key, I left keysize to 2048
!! I know the ASA can generate CSR, but StartCom only accepts SHA and the ASA generates using MD5.
A private Key is generated.  Save as ssl.key - Important to save this certificate.
Continue through following instruction.

Tool Box
Retrieve Certificate
 - pick Certificate just created.
  - should be 2 in there, the one for the browser to use the StartCom site and one for the Server - Class 1)
 - copy and paste certificate.

Go go Create PKCS#12 (PFX) File
 - copy and paste private key into Private Key box
 - copy and paste certificate you just grabbed into Enter Certificate box.
 - provide a password
 - save p12 file that is created, this will be imported into the ASDM.

In ASDM
 - Configuration
  - Device Management
   - Certificate Management
    - Identity Certificates
    - Add
    - Create Trustpoint Name (Startcom-SSL)
    - Enter Decryption Passphrase used earlier
    - import p12 file.
    - Add Certificate.
  - Advanced
   - SSL Settings
   - Change outside trustpoint to one created earlier (Startcom-SSL)
-Apply
-Save

4 comments:

LDiddy said...

Great article, exactly what I was looking for. I'm setting up a certificate for our AnyConnect SSL VPN users and didn't want to deal with certificate errors.

Thanks for taking the time to share!

marekmaxpabianice said...

worked first time, thx for that!

m.ijaz said...

It's been a while since I wrote a walk though on the cisco AnyConnect/SSL VPN solution, and usually I secure these with Active Directory or simply using the local user database on the firewall. But what if you wanted to use certificates instead? Perhaps your users are too "technically challenged" to remember their passwords. Or you want to enable two factor authentication with usernames/passwords AND certificates (something you know and something you have).

Francisco Batista said...

Hi guys... i'm probably doing something wrong, because i can't seem to get this working for my ASA.
I have followed the procedure but it gives me an error:
"ERROR: Import PKCS12 operation failed"