Wednesday, May 7, 2008

Obtain a Digital Certificate from a Microsoft Windows CA using ASDM on an ASA

How to obtain a Digital Certificate from a Microsoft Windows CA using ASDM on an ASA (Cisco Systems)
Digital certificates can be used to authenticate network devices and users on the network. They can be used to negotiate IPSec sessions between network nodes.
Cisco devices identify themselves securely on a network in three main ways:

Pre-Shared Keys. Two or more devices can have the same shared secret key. Peers authenticate each other by computing and sending a keyed hash of data that includes the preshared key. If the receiving peer is able to create the same hash independently using its preshared key, it knows that both peers must share the same secret, thus authenticating the other peer. This method is manual and not very scalable.

Self-Signed Certificates. A device generates its own certificate and signs it as being valid. This type of certificate should have limited usage. Using this certificate with SSH and HTTPS access for configuration purposes are good examples. A separate username/password pair is needed to complete the connection.
Note: Persistent Self-Signed Certificates survive router reloads because they are saved in the nonvolatile random-access memory (NVRAM) of the device. Refer to Persistent Self-Signed Certificates for more information. One good example of use is with SSL VPN (WebVPN) connections.

Certificate Authority Certificate. A third party validates and authenticates the two or more nodes that attempt to communicate. Each node has a public and private key. The public key encrypts data, and the private key decrypts data. Because they have obtained their certificates from the same source, they can be assured of their respective identities. The ASA device can obtain a digital certificate from a third-party with a manual enrollment method or an automatic enrollment method.
Note: The enrollment method and type of digital certificate you choose is dependent upon the features and functions of each third-party product. Contact the vendor of the certificate service for more information.

The Cisco Adaptive Security Appliance (ASA) can use pre-shared keys or digital certificates provided by a third-party Certificate Authority (CA) to authenticate IPSec connections. In addition, the ASA can produce its own self-signed digital certificate. This should be used for SSH, HTTPS, and Cisco Adaptive Security Device Manager (ASDM) connections to the device.

This document demonstrates the procedures necessary to automatically obtain a digital certificate from a Microsoft Certificate Authority (CA) for the ASA. It does not include the manual method of enrollment. This document uses ASDM for the configuration steps, as well as presents the final command-line interface (CLI ) configuration.

2 comments:

Lia said...

Nice

Natalia said...

Thanks a lot for explaining about how to obtain a digital certificate. You have explained the whole process in detail. I find this article very helpful. Keep sharing more good stuff in future also.
digital signature