The ASA CA Server is not a full functional CA Server. It is built specifically for ASA to support certificate based authentication for WebVPN. The ASA generates a cert and give it the webvpn user. Now here, you need know that the ASA generates a private key and is included in the cert given to user. You can check that out by exporting the cert and looking in. So ASA CA server is not meant for IPSec. It can be used only for WebVPN i.e., to grant web certificates which you should put in the personal folder not the trusted folder of the Windows certificate store.
Now when you are going to use IOS CA server the case is different. You enroll the ASA to the IOS CA server. The ASA uses this CA server trustpoint to verify the client cert. Now how did I get for the PC? You can go to mmc > certs and try to enroll to the CA server. But for some reason, I couldn't do that because most Windows restricted telling I have permissions though I logged as administrator. So I went to IIS and from there I requested a cert. Well that is complicated and sure is out of scope. If you want to try, you can try it. In this case, the client generates it's private keys. You get a regular signed cert from the IOS CA server and you can use that for WebVPN certificate authentication. With regards Kings On Sat, Apr 28, 2012 at 8:31 PM, Ben Shaw <[email protected]> wrote: > Kings, when you say you've used the IOS CA for SSL VPN, by what method did > you request certificates for the client (WIN/MAC). Did you create a CSR and > then import it into the IOS CA and if so by what means did you create the > CSR. If you were able to submit the request directly to the IOS CA, by what > method did you do that? Web browser, CLI or some other means? > > As for the ASA CA, I think I tend to prefer it as one can manually submit > a certificate request directly to the CA using the command "crypto ca > server user-db add" on the CLI without needing to first create a CSR > which is good for Windows clients as they can't create a CSR natively > unless one goes through using IIS which I don't think we will be expected > to do in the exam. As for a guide to using the ASA CA, there is a one here > which should be available in the lab > > > http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1147585 > > From what I understand though, we need to use the IOS CA in the lab exam > not the ASA CA. Does anyone know any different? If this is the case, then > it takes me back to my original query - what is the best way to request > certificates from an IOS CA for a Windows host that will use it for SSL > VPN? Do we just use the IPSec client to create a CSR or is there another > way? > > Thanks > > > On Fri, Apr 27, 2012 at 7:38 PM, Kingsley Charles < > [email protected]> wrote: > >> I have done it once. You can use certificate from IOS CA server for >> SSLVPN. The ASA should also be enrolled to that CA server. >> >> With regards >> Kings >> >> >> On Thu, Apr 26, 2012 at 8:24 PM, Ben Shaw <[email protected]> wrote: >> >>> OK thanks, >>> >>> Does anyone know if the method by which a certificate is requested >>> effects the operation/functionality of the certificate that is received >>> back? >>> >>> If the IOS CA supports any clients as long as they use SCEP then I can >>> only think of using the Cisco IPSec client in Windows to enrol with the IOS >>> CA to obtain a certificate as it supports SCP or manual CSR file creation >>> which can be manually imported into the CA. I am not sure however if the >>> certificate I receive back which was requested using an IPSec client will >>> then be suitable to use for authentication of an SSL VPN sesson. >>> >>> As mentioned I had issues before when I created the request in the IPSec >>> client but tried to use the certificate with SSL. Obtaining a new >>> certificate from an MS CA using the http://*server_name*/certsrv >>> website on the MS CA provided me with a certificate that I was able to use >>> for SSL VPN authentication successfully. >>> >>> If there is a limitation on the use of certificates requested in a >>> certain way and the only way to obtain a client from an IOS CA is via SCEP >>> (with IPSec client) then I am wondering how we can do certificate based SSL >>> VPN authentication in the lab if we are using an IOS CA for PKI. >>> >>> Any thoughts? >>> >>> >>> >>> >>> On Thu, Apr 26, 2012 at 10:29 PM, waleed ' <[email protected]>wrote: >>> >>>> IOS CA use SCEP protocol if the client support this protocol for >>>> enrollment I think you can use it for non cisco devices >>>> >>>> >>>> ------------------------------ >>>> Date: Thu, 26 Apr 2012 15:11:39 +1000 >>>> From: [email protected] >>>> To: [email protected] >>>> Subject: Re: [OSL | CCIE_Security] Does the IOS CA Server have a web >>>> interface for certificate creation >>>> >>>> >>>> Thanks Mike and good point Adil, >>>> >>>> maybe you are right. My memory seems to recall that it may only be >>>> usable for routers. Can anyone else confirm this? >>>> >>>> I was under the impression it is an IOS CA that we have been told we >>>> will need to use in the lab exam as opposed to an MS CA. This would be a >>>> rather large limitation for this CA if we were expected to use it to create >>>> certificates for remote access VPN. >>>> >>>> Ben >>>> >>>> >>>> >>>> >>>> On Thu, Apr 26, 2012 at 9:33 AM, Adil Pasha <[email protected]> wrote: >>>> >>>> Can IOS CA server be used for non-Cisco devices such as desktops? >>>> >>>> >>>> Best Regards. >>>> ______________________ >>>> Adil S Pasha >>>> >>>> >>>> On Apr 25, 2012, at 2:45 PM, Mike Rojas wrote: >>>> >>>> Ben, >>>> >>>> Besides the GUI from the IDM, you are not going to be allowed to use >>>> any. (Exam purpose) but in regards of the "real life scenario" I have not >>>> seen any. >>>> >>>> Mike >>>> >>>> ------------------------------ >>>> Date: Thu, 26 Apr 2012 01:42:30 +1000 >>>> From: [email protected] >>>> To: [email protected] >>>> Subject: [OSL | CCIE_Security] Does the IOS CA Server have a web >>>> interface for certificate creation >>>> >>>> Hi All >>>> >>>> one of the things I like about the ASA CA server is that it has a web >>>> interface to be able to create certificate signing requests for client >>>> computers. There is also the ability to add these requests via the CLI wit >>>> the 'user-db' function. >>>> >>>> Consider I believe it will be an IOS CA we will be asked to create in >>>> the lan exam and not a CA on an ASA, have been looking to see if the IOS CA >>>> has the same feature in v12.4 so that a client computer can enrol with the >>>> CA and receive a certificate without needing to install the Cisco VPN >>>> Client to create the CSR or use some other convoluted method such as via >>>> IIS. >>>> >>>> Can anyone tell me if there is such a feature within the IOS CA that >>>> allows certificates to be created for client computers via the CLI like >>>> there is in the ASA CA? >>>> >>>> Thanks >>>> Ben >>>> >>>> _______________________________________________ For more information >>>> regarding industry leading CCIE Lab training, please visit >>>> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check >>>> out www.PlatinumPlacement.com >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>>> >>>> >>>> >>>> _______________________________________________ For more information >>>> regarding industry leading CCIE Lab training, please visit >>>> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check >>>> out www.PlatinumPlacement.com >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
