How do you want to issue a certificate without keys? In SSL when you use mutual authentication (client and server have certificates) if the SSL server sent a "client certificate request", the SSL client sends a random byte string encrypted with the client's private key, together with the client's digital certificate. Now you see those keys are used.
Regards, Piotr 2011/9/6 Kingsley Charles <[email protected]> > Hi Piotr > > I agree with that. But I would like to know, what's the purpose of those > two keys with respect to SSLVPN. > > With regards > Kings > > > > On Tue, Sep 6, 2011 at 5:16 PM, Piotr Matusiak <[email protected]> wrote: > >> Kings, >> >> The ASA generates keys on behalf of the user and issue a certificate which >> is transferred during enrollment process to the client with PKCS12 >> (keys+cert) format. That's why there are two keys. >> >> >> Regards, >> Piotr >> >> >> >> 2011/9/6 Kingsley Charles <[email protected]> >> >>> I did some investigation and based upon the debugs and documentation, the >>> following is how the authentication happens for SSLVPN with clients. >>> >>> 1)The user is added to the ASA CA Server user db and an OTP is generated. >>> 2)The user https://IP >>> address/+CSCOCA+/enroll.html<https://asa2/+CSCOCA+/enroll.html>and enters >>> the username/OTP. >>> 3)The user downloads the certificate. >>> 4)The user now logins into the SSLVPN portal and sends the certificate >>> for authentication. >>> 5)The ASA uses the Local CA server trustpoint to validate the signature. >>> The downloaded/sent certificate signature is signed by the CA Server's >>> private key. When the ASA gets the certificate from the user for sslvpn >>> authenticate, it generates the hash of the certificate. The signature from >>> the certificate is decrypted using the CA Server public key and now both >>> hash are compared. If they are same, then authentication passes. >>> >>> If I am missing something, please let me know. >>> >>> >>> Now, one question is still not answered for me. >>> >>> Why does the ASA CA server put a public and private key in the user's >>> certificate? What is the purpose of those keys? >>> >>> >>> With regards >>> Kings >>> >>> >>> On Tue, Sep 6, 2011 at 1:27 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> HI Piotr >>>> >>>> As you said, the ASA CA Server is meant only for it's sslvpn user >>>> authentication >>>> >>>> Snippet from >>>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067484 >>>> The Local CA >>>> >>>> The Local Certificate Authority (Local CA) performs the following tasks: >>>> >>>> >>>> •Integrates basic certificate authority functionality on the security >>>> appliance. >>>> >>>> •Deploys certificates. >>>> >>>> •Provides secure revocation checking of issued certificates. >>>> >>>> •Provides a certificate authority on the adaptive security appliance for >>>> use with SSL VPN connections, both browser- and client-based. >>>> >>>> •Provides trusted digital certificates to users, without the need to >>>> rely on external certificate authorization. >>>> >>>> •Provides a secure in-house authority for certificate authentication and >>>> offers straightforward user enrollment by means of a browser web page >>>> login. >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Tue, Sep 6, 2011 at 1:11 PM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> Hi Piotr >>>>> >>>>> I just checked a downloaded certificate's usage from the ASA CA Server >>>>> and it was signature type. Normally, the self signed certificates from >>>>> webservers will have usage type of encryption and the public key will be >>>>> used for encrypting the master key sent by the client to the server. The >>>>> client side doesn't need an encryption usage certificate and only >>>>> requires a >>>>> certificate with signature usage. >>>>> >>>>> With EAP, client also would only require certificate usage type of >>>>> signature and hence, I think ASA CA server would be suffice. >>>>> >>>>> Just sharing my thought. Practically, I have not tried with EAP :-) >>>>> >>>>> >>>>> I have one more query >>>>> >>>>> The downloaded certificate from the ASA CA server has public key and >>>>> private key. Now, with ASA CA server we don't enroll by sending PKCS#10 >>>>> which has the public key. >>>>> >>>>> Said with that, whose public and private key are present in the >>>>> downloaded certificate. Does the ASA CA server create and add keys for >>>>> each >>>>> user? >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Tue, Sep 6, 2011 at 12:58 PM, Piotr Matusiak <[email protected]>wrote: >>>>> >>>>>> Right, this is because ASA CA can only issue a certificate for SSL >>>>>> purposes. You cannot use them in EAP I believe. >>>>>> >>>>>> >>>>>> Regards, >>>>>> Piotr >>>>>> >>>>>> >>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>> >>>>>>> Piotr, >>>>>>> >>>>>>> Does it mean that the ASA CA server has been implemented as a >>>>>>> complementary for it's own webvpn feature? ASA CA server can be also >>>>>>> used to >>>>>>> generate certificates for any users to authenticate with any other >>>>>>> applications other than ASA WebVPN, isn't it? >>>>>>> >>>>>>> We need some web service for CA Service. In IOS, we use http server >>>>>>> web service not webvpn. >>>>>>> >>>>>>> But in ASA, we don't use http service rather webvpn web service. >>>>>>> >>>>>>> Just wondering, why Cisco didn't use http server web service. If I >>>>>>> need a CA Server alone for issuing identity certificates, why would I >>>>>>> need >>>>>>> to run WebVPN? >>>>>>> >>>>>>> For example, I need a certificate for EAP TLS or EAP FAST >>>>>>> authentication, I just need a CA Server not WebVPN. >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> >>>>>>> On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]>wrote: >>>>>>> >>>>>>>> What's the ASA CA purpose? To give out certificate for SSL >>>>>>>> (clientless and full client), right? In both cases you need webvpn to >>>>>>>> be >>>>>>>> enabled. >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> Piotr >>>>>>>> >>>>>>>> >>>>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>>>> >>>>>>>>> Hi Piotr >>>>>>>>> >>>>>>>>> Great, that made it work. >>>>>>>>> >>>>>>>>> But why do we need webvpn to be enabled? Is CA server embedded with >>>>>>>>> WebVPN service? >>>>>>>>> >>>>>>>>> With regards >>>>>>>>> Kings >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]>wrote: >>>>>>>>> >>>>>>>>>> Hi Kings, >>>>>>>>>> >>>>>>>>>> You need WebVPN to be enabled for that. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Piotr >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>>>>>> >>>>>>>>>>> Hi Piotr >>>>>>>>>>> >>>>>>>>>>> I don't have webvpn configured? I get the same log message even >>>>>>>>>>> when I use IP address. Do we need http server enabled? I tried >>>>>>>>>>> enabling http >>>>>>>>>>> server too and that didn't work for me. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> With regards >>>>>>>>>>> Kings >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak >>>>>>>>>>> <[email protected]>wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Kings, >>>>>>>>>>>> >>>>>>>>>>>> Did you enable webvpn on the outside? >>>>>>>>>>>> You can connect using IP address as well. >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Piotr >>>>>>>>>>>> >>>>>>>>>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>>>>>>>>> >>>>>>>>>>>>> Hi all >>>>>>>>>>>>> >>>>>>>>>>>>> I have configured the ASA for CA server and when I try to >>>>>>>>>>>>> access the enrollment URL, I get the following logs: From the log >>>>>>>>>>>>> reference >>>>>>>>>>>>> for 710005, I think, the CA server service is not running. >>>>>>>>>>>>> >>>>>>>>>>>>> I am trying to access enrollment url using the host name >>>>>>>>>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to >>>>>>>>>>>>> IP address mapping in the host file. I remember, we can only >>>>>>>>>>>>> access using >>>>>>>>>>>>> hostname not IP address. >>>>>>>>>>>>> >>>>>>>>>>>>> Any thoughts? >>>>>>>>>>>>> >>>>>>>>>>>>> *Config* >>>>>>>>>>>>> >>>>>>>>>>>>> crypto ca server >>>>>>>>>>>>> subject-name-default cn=ca >>>>>>>>>>>>> smtp from-address [email protected] >>>>>>>>>>>>> >>>>>>>>>>>>> *Logs* >>>>>>>>>>>>> >>>>>>>>>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>>>>>>>>> outside:10.20.30.43/443 >>>>>>>>>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750to >>>>>>>>>>>>> outside: >>>>>>>>>>>>> 10.20.30.43/443 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Snippet from >>>>>>>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>>>>>>>>> 710005 >>>>>>>>>>>>> >>>>>>>>>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded >>>>>>>>>>>>> from *source_address/source_port* to >>>>>>>>>>>>> *interface_name:dest_address/service* >>>>>>>>>>>>> >>>>>>>>>>>>> Explanation This message appears when the Cisco ASA does >>>>>>>>>>>>> not have a UDP server that services the UDP request. The message >>>>>>>>>>>>> can also >>>>>>>>>>>>> indicate a TCP packet that does not belong to any session on the >>>>>>>>>>>>> Cisco ASA . >>>>>>>>>>>>> In addition, this message appears (with the service *snmp*) >>>>>>>>>>>>> when the Cisco ASA receives an SNMP request with an empty >>>>>>>>>>>>> payload, even if >>>>>>>>>>>>> it is from an authorized host. When the service is *snmp*, >>>>>>>>>>>>> this message occurs a maximum of 1 time every 10 seconds so that >>>>>>>>>>>>> the log >>>>>>>>>>>>> receiver is not overwhelmed. >>>>>>>>>>>>> >>>>>>>>>>>>> Recommended Action In networks that heavily utilize >>>>>>>>>>>>> broadcasting services such as DHCP, RIP or NetBios, the frequency >>>>>>>>>>>>> of this >>>>>>>>>>>>> message can be high. If this message appears in excessive number, >>>>>>>>>>>>> it may >>>>>>>>>>>>> indicate an attack. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> With regards >>>>>>>>>>>>> Kings >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>>>>> >>>>>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>>>>> www.PlatinumPlacement.com >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
