The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. Certificates without the CA flag now cannot be installed on the ASA as CA certificates by default.
Leave the Enable CA flag in basic constraints extension option checked.In the FQDNfield, enter the FQDN that is used to access the device from the Internet.The Add Identity Certificate dialog box appears with the Certificate Subject DN field populated. After the appropriate values are added, click OK.If unsure of the required attributes, check with the vendor for details. Note: Some third-party vendors require particular attributes to be included before an identity certificate is issued. To configure these values, choose a value from the Attribute drop-down list, enter the value, and click Add. To define the Certificate Subject DN, click Select, and configure the attributes listed in this table:.Choose General Purpose for Usage if using RSA. Identify the key pair name for recognition purposes. Click the Enter new key pair nameradio button.(Refer to Appendix A to understand the differences.) Click the Add a new identity certificateradio button.Define a trustpoint name in the Trustpoint Name input field.Navigate to Configuration > Remote Access VPN > Certificate Management, and choose Identity Certificates.Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted Certificate warnings and pass Strict Certificate check. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone.ģ.
ASA currently does not support 4096 bit keys (Cisco bug ID CSCut53512) for SSL server authentication. The CA/Browser Forum has mandated that all certificates generated by their member CAs have a minimum size of 2048 bits.Ģ. Check with the CA on the required keypair size.
PKI Data Formats explains the different certificate formats applicable to the ASA and Cisco IOS ®. Once the private/public Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated ( Appendix A details the difference between the use of RSA or ECDSA), a Certficate Signing Request (CSR) is created.Ī CSR is a PKCS10 formatted message that contains the public key and identity information of the host which sends the request. The lifecycle of a third-party certificate on the ASA essentially takes place with these steps:ĬSR generation is the first step in the lifecycle of any X.509 digital certificate. It is recommended to use trusted third-party CAs to issue SSL certificates to the ASA for this purpose. There is also the inconvenience to users to have to respond to a security warning when it connects to the secure gateway. Cisco does not recommend use of a self-signed certificate because of the possibility that a user could inadvertently configure a browser to trust a certificate from a rogue server. The SSL protocol mandates that the SSL Server provide the client with a server certificate for the client to perform server authentication. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment.
SAN JOSE STATE INSTALLING WINDOWS ON MAC SOFTWARE
This document uses an ASA 5500-X that runs software version 9.4.1 and ASDM version 7.4(1).
SAN JOSE STATE INSTALLING WINDOWS ON MAC SERIES
The Cisco ASA Series General Operations CLI Configuration Guide, 9.1 details the steps to take in order to set up the time and date correctly on the ASA. With certificate authentication, it is recommended to use a Network Time Protocol (NTP) server to synchronize the time on the ASA. Examples of third-party CA vendors include, but are not limited to, Baltimore, Cisco, Entrust, Geotrust, G, Microsoft, RSA, Thawte, and VeriSign.īefore starting, verify that the ASA has the correct clock time, date, and time zone. This document requires access to a trusted third-party Certificate Authority (CA) for certificate enrollment. Each step contains the Adaptive Security Device Manager (ASDM) procedure and the CLI equivalent. Background InformationĪ GoDaddy Certificate is used in this example. This document describes installation of third-party trusted SSL digital certificate on the ASA for Clientless SSLVPN and An圜onnect connections.
0 kommentar(er)
