Here goes, use this path. Generate a request, paste this request in the IOS CA server terminal and then import the granted cert back using the same path
mmc > IIS > Default Website > Properties > Directory Security > Server certificate With regards Kings On Sun, Apr 29, 2012 at 1:30 AM, Kingsley Charles < [email protected]> wrote: > The ASA CA Server is not a full functional CA Server. It is built > specifically for ASA to support certificate based authentication for > WebVPN. > The ASA generates a cert and give it the webvpn user. Now here, you need > know that the ASA generates a private key and is included in the cert given > to user. You can check that out by exporting the cert and looking in. So > ASA CA server is not meant for IPSec. It can be used only for WebVPN i.e., > to grant web certificates which you should put in the personal folder not > the trusted folder of the Windows certificate store. > > Now when you are going to use IOS CA server the case is different. You > enroll the ASA to the IOS CA server. The ASA uses this CA server trustpoint > to verify the client cert. > > Now how did I get for the PC? You can go to mmc > certs and try to enroll > to the CA server. But for some reason, I couldn't do that because most > Windows restricted telling I have permissions though I logged as > administrator. So I went to IIS and from there I requested a cert. Well > that is complicated and sure is out of scope. If you want to try, you can > try it. In this case, the client generates it's private keys. You get a > regular signed cert from the IOS CA server and you can use that for WebVPN > certificate authentication. > > > > > With regards > Kings > > > On Sat, Apr 28, 2012 at 8:31 PM, Ben Shaw <[email protected]> wrote: > >> Kings, when you say you've used the IOS CA for SSL VPN, by what method >> did you request certificates for the client (WIN/MAC). Did you create a CSR >> and then import it into the IOS CA and if so by what means did you create >> the CSR. If you were able to submit the request directly to the IOS CA, by >> what method did you do that? Web browser, CLI or some other means? >> >> As for the ASA CA, I think I tend to prefer it as one can manually submit >> a certificate request directly to the CA using the command "crypto ca >> server user-db add" on the CLI without needing to first create a CSR >> which is good for Windows clients as they can't create a CSR natively >> unless one goes through using IIS which I don't think we will be expected >> to do in the exam. As for a guide to using the ASA CA, there is a one here >> which should be available in the lab >> >> >> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1147585 >> >> From what I understand though, we need to use the IOS CA in the lab exam >> not the ASA CA. Does anyone know any different? If this is the case, then >> it takes me back to my original query - what is the best way to request >> certificates from an IOS CA for a Windows host that will use it for SSL >> VPN? Do we just use the IPSec client to create a CSR or is there another >> way? >> >> Thanks >> >> >> On Fri, Apr 27, 2012 at 7:38 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> I have done it once. You can use certificate from IOS CA server for >>> SSLVPN. The ASA should also be enrolled to that CA server. >>> >>> With regards >>> Kings >>> >>> >>> On Thu, Apr 26, 2012 at 8:24 PM, Ben Shaw <[email protected]> wrote: >>> >>>> OK thanks, >>>> >>>> Does anyone know if the method by which a certificate is requested >>>> effects the operation/functionality of the certificate that is received >>>> back? >>>> >>>> If the IOS CA supports any clients as long as they use SCEP then I can >>>> only think of using the Cisco IPSec client in Windows to enrol with the IOS >>>> CA to obtain a certificate as it supports SCP or manual CSR file creation >>>> which can be manually imported into the CA. I am not sure however if the >>>> certificate I receive back which was requested using an IPSec client will >>>> then be suitable to use for authentication of an SSL VPN sesson. >>>> >>>> As mentioned I had issues before when I created the request in the >>>> IPSec client but tried to use the certificate with SSL. Obtaining a new >>>> certificate from an MS CA using the http://*server_name*/certsrv >>>> website on the MS CA provided me with a certificate that I was able to use >>>> for SSL VPN authentication successfully. >>>> >>>> If there is a limitation on the use of certificates requested in a >>>> certain way and the only way to obtain a client from an IOS CA is via SCEP >>>> (with IPSec client) then I am wondering how we can do certificate based SSL >>>> VPN authentication in the lab if we are using an IOS CA for PKI. >>>> >>>> Any thoughts? >>>> >>>> >>>> >>>> >>>> On Thu, Apr 26, 2012 at 10:29 PM, waleed ' <[email protected]>wrote: >>>> >>>>> IOS CA use SCEP protocol if the client support this protocol for >>>>> enrollment I think you can use it for non cisco devices >>>>> >>>>> >>>>> ------------------------------ >>>>> Date: Thu, 26 Apr 2012 15:11:39 +1000 >>>>> From: [email protected] >>>>> To: [email protected] >>>>> Subject: Re: [OSL | CCIE_Security] Does the IOS CA Server have a web >>>>> interface for certificate creation >>>>> >>>>> >>>>> Thanks Mike and good point Adil, >>>>> >>>>> maybe you are right. My memory seems to recall that it may only be >>>>> usable for routers. Can anyone else confirm this? >>>>> >>>>> I was under the impression it is an IOS CA that we have been told we >>>>> will need to use in the lab exam as opposed to an MS CA. This would be a >>>>> rather large limitation for this CA if we were expected to use it to >>>>> create >>>>> certificates for remote access VPN. >>>>> >>>>> Ben >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Apr 26, 2012 at 9:33 AM, Adil Pasha <[email protected]> wrote: >>>>> >>>>> Can IOS CA server be used for non-Cisco devices such as desktops? >>>>> >>>>> >>>>> Best Regards. >>>>> ______________________ >>>>> Adil S Pasha >>>>> >>>>> >>>>> On Apr 25, 2012, at 2:45 PM, Mike Rojas wrote: >>>>> >>>>> Ben, >>>>> >>>>> Besides the GUI from the IDM, you are not going to be allowed to use >>>>> any. (Exam purpose) but in regards of the "real life scenario" I have not >>>>> seen any. >>>>> >>>>> Mike >>>>> >>>>> ------------------------------ >>>>> Date: Thu, 26 Apr 2012 01:42:30 +1000 >>>>> From: [email protected] >>>>> To: [email protected] >>>>> Subject: [OSL | CCIE_Security] Does the IOS CA Server have a web >>>>> interface for certificate creation >>>>> >>>>> Hi All >>>>> >>>>> one of the things I like about the ASA CA server is that it has a web >>>>> interface to be able to create certificate signing requests for client >>>>> computers. There is also the ability to add these requests via the CLI wit >>>>> the 'user-db' function. >>>>> >>>>> Consider I believe it will be an IOS CA we will be asked to create in >>>>> the lan exam and not a CA on an ASA, have been looking to see if the IOS >>>>> CA >>>>> has the same feature in v12.4 so that a client computer can enrol with the >>>>> CA and receive a certificate without needing to install the Cisco VPN >>>>> Client to create the CSR or use some other convoluted method such as via >>>>> IIS. >>>>> >>>>> Can anyone tell me if there is such a feature within the IOS CA that >>>>> allows certificates to be created for client computers via the CLI like >>>>> there is in the ASA CA? >>>>> >>>>> Thanks >>>>> Ben >>>>> >>>>> _______________________________________________ For more information >>>>> regarding industry leading CCIE Lab training, please visit >>>>> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check >>>>> out www.PlatinumPlacement.com >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ For more information >>>>> regarding industry leading CCIE Lab training, please visit >>>>> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check >>>>> out www.PlatinumPlacement.com >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
