Sunday, December 27, 2009

Free SSL Cert on Cisco ASA for WebVPN - Anyconnect

So I received a nice article on How to obtain and install an SSL/TLS certificate, for free.  The site  describes how to acquire a Class 1 certificate at no cost.  Basically, a Class 1 cert only validates a legal email on the domain.  Your traffic will be encrypted though.  

The instruction below is how to apply and use the free certificate on the Cisco ASA firewall not how to create the anyconnect configuration.

StartSSL uses an S/MIME personal certificate to let you log in after sign-up.  You will create this certificate and one other for free.

Start at the Authenticate or Sign-Up page.
Create Account for your domain. 
Log into account
You'll see 3 options
Tool Box, Certificates Wizard, Validations Wizard.
Pick Validations Wizard and change drop down time to Domain Name Validation.
Fill out domain name, press continue.
Pick email address to get validation key.  Follow instructions.

Go to Certificates Wizard.
Pick Web Server SSL/TLS Certificate for Certificate Target
Generate Private Key, I left keysize to 2048
!! I know the ASA can generate CSR, but StartCom only accepts SHA and the ASA generates using MD5.
A private Key is generated.  Save as ssl.key - Important to save this certificate.
Continue through following instruction.

Tool Box
Retrieve Certificate
 - pick Certificate just created.
  - should be 2 in there, the one for the browser to use the StartCom site and one for the Server - Class 1)
 - copy and paste certificate.

Go go Create PKCS#12 (PFX) File
 - copy and paste private key into Private Key box
 - copy and paste certificate you just grabbed into Enter Certificate box.
 - provide a password
 - save p12 file that is created, this will be imported into the ASDM.

In ASDM
 - Configuration
  - Device Management
   - Certificate Management
    - Identity Certificates
    - Add
    - Create Trustpoint Name (Startcom-SSL)
    - Enter Decryption Passphrase used earlier
    - import p12 file.
    - Add Certificate.
  - Advanced
   - SSL Settings
   - Change outside trustpoint to one created earlier (Startcom-SSL)
-Apply
-Save

7 comments:

Unknown said...

worked first time, thx for that!

m.ijaz said...

It's been a while since I wrote a walk though on the cisco AnyConnect/SSL VPN solution, and usually I secure these with Active Directory or simply using the local user database on the firewall. But what if you wanted to use certificates instead? Perhaps your users are too "technically challenged" to remember their passwords. Or you want to enable two factor authentication with usernames/passwords AND certificates (something you know and something you have).

Unknown said...

Hi guys... i'm probably doing something wrong, because i can't seem to get this working for my ASA.
I have followed the procedure but it gives me an error:
"ERROR: Import PKCS12 operation failed"

Mark weins said...

Hi there! This is my first visit to your blog! We are a team of volunteers and starting a new project in a community in the same niche. Your blog provided us beneficial information to work on. You have done a extraordinary job! webflow developers

Unknown said...

Enjoyed reading this, very good stuff, thankyou . webflow development agency

sdexter said...

Excellent blog right here! Also your site a lot up very fast! What web host are you the use of? Can I am getting your associate link to your host? I want my site loaded up as quickly as yours lol ux design agency

Walkeaz said...

After research a number of of the weblog posts on your web site now, and I really like your manner of blogging. I bookmarked it to my bookmark website record and will be checking back soon. Pls try my web site as effectively and let me know what you think. front end service