Installing a Third Party Certificate for WebVPN(SSL) on the ASA

In order to not get the annoying “Invalid certificate” errors in Internet Explorer we need to purchase and install a third party certificate for the ASA. Then we can associate the WebVPN with the certificate so we don’t get the warnings.  Of course, you can do this through the ASDM, but what fun is that?  CLI all the way, here we go.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
-Note sections are in italics and embedded directly within the code below
-During the install/setup the CLI asks several questions.  I note when they will appear by inserting a line beginning with ‘Question Prompt –‘ in between the lines of code.  I also put the response you should enter after the line in bold.

Verify that your clock is set correctly
To do this, issue the ‘show clock’ command at the CLI.  If it isn’t configured correctly, define a NTP server (Which you should have done during initial config) and ensure your time zone is set correctly.  I usually use us.pool.ntp.org as an NTP server.  You can resolve it to an IP to get rid of the DNS lookup.

Generate the CSR
ASA(config)# crypto key generate rsa label <Your domain name> modulus 2048
Notes: I use the domain name that I am going to use for the label name, it just makes it easier if everything is the same (FQDN, System FQDN, Label, etc….).  An example would be ‘SSLVPN.test.com’.  Additionally I use a 2048 bit modulus because GoDaddy (The third party CA I am using) will no longer accept the 1024 bit modulus.
ASA(config)# crypto ca trustpoint <Your domain name>
ASA(config-ca-trustpoint)# subject-name CN=<Your domain name>, OU=<Organization Unit>, O=<Organization Name>, C=<Country (US)>, St=<Your State>, L=<Your City>
ASA(config-ca-trustpoint)# keypair <Your domain name>
ASA(config-ca-trustpoint)# fqdn <Your domain name>
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# exit
ASA(config)# crypto ca enroll <Your domain name>
Question Prompt – Include the device serial number in the subject name? [yes/no]: NO
Question Prompt – Display Certificate Request to terminal? [yes/no]: YES
Notes: After answering YES the CLI will output the CSR.  You need to copy the CSR so you can submit it to your Certificate Authority (GoDaddy in this case)
Redisplay enrollment request? [yes/no]: NO

Submit your CSR to your Certificate Authority
Again, I used GoDaddy because it seemed to be the cheapest.  The certificate was less then $30 for the year.  You purchase a certificate credit and then when you are ready to submit your CSR you go into their Certificate Management Portal under your login and submit the CSR.  After submitting the request it took about 5 minutes for my certificate to be generated.  You download the certificate file in Zip format.  In the Zip file you should have two certificates.  One is the certificate for the FQDN which you purchased and the other is the certificate for the CA.  This is where it gets a little tricky. First you need to authenticate the CA by importing their certificate.  Then you need to import your actual certificate.  I’m not going to get into the details of how certificates work but if you don’t know how, you should find out.  Google ‘Public Key encryption’.  Alright, so my Zip file had two certificates in it.

gd_bundle.crt – The certificate for the CA
<Domain name>.crt – The certificate for my domain

You’ll need to export both of the certificates to Base-64 encoded X.509.  To do this in Windows double click the certificate.  A certificate window with three tabs should appear as shown below.image

Click on the second tab ‘Details’ and select the ‘Copy to File…” button image

This will open the Certificate Export Wizard.  Press NEXTimage

On the next screen select ‘Base-64 encoded X.509 (.CER)’ and press NEXTimage

On the following screen select a location to output the file to and press NEXTimage

Press FINISH on the summary screen.  You should get a pop up window indicating that export was successful.
image

Now browse to where you chose to store the certificate, right click on it, select ‘Open With’, and choose WordPad.  When you open it in WordPad you should get something similar to what is shown below.  image

Perform this certificate Export for your certificate as well as the CA’s certificate.   During the rest of the walk through I will refer to these exports as “CA Certificate”(The CA’s certificate) and “CA Certificate Response”(The certificate for your domain).

Install the certificates on the ASA
ASA(config)# crypto ca authenticate <Your domain name>
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter.

Question Prompt – Do you accept this certificate? [yes/no]: yes
Notes: After you accept the certificate you should get a message indicating that the certificate import was successful
ASA(config)# exit
ASA(config)# crypto ca import <Your domain name> certificate
Notes: You will now receive the prompt shown below.
”Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself”
Copy the CA Certificate Response and paste it into the CLI window.  Then make sure you are on a new line, type to the word quit, and press enter. After you press enter you should get a message indicating that the certificate import was successful

Tell WebVPN to use your new certificate
ASA(config)# ssl trust-point <Your domain name> outside

Verify
You can use the command ‘show crypto ca certificates’ to verify that your certificates imported successfully.  Of course the other way to test would be to just connect to the outside IP on SSL and see if you still get that annoying warning.

16 thoughts on “Installing a Third Party Certificate for WebVPN(SSL) on the ASA

  1. earning money online

    Aw, this was a really quality post. In theory I’d like to write like this too – taking time and real effort to make a good article… but what can I say… I procrastinate alot and never seem to get something done.

    Reply
    1. admin

      Glad you liked the article and thanks for reading! I really enjoy writing articles for the blog. It takes a lot of time but its worth it.

      Reply
  2. ASA User

    I agree, great article! I do still get the certificate warnings becuase I can’t connect using the FQDN and only the public IP. Have you run into this?

    Reply
    1. admin

      Hmmm, so you installed the certificate but you cant externally browse to the WebVPN portal? Or are you trying to internall browse to it?

      Reply
    2. Giorgio

      Hi, I am having the same problem. I can only access using the public IP and I still get the certificate warning. I can’t access using the FQDN. Did you find out what the problem was?

      Thank you.

      Reply
      1. admin

        When you say you cant access using the FQDN does that imply that external DNS isnt functioning? Do NSLOOKUPs return the right IP?

        Reply
    3. dodo

      Edit your host file in C:\WINDOWS\system32\drivers\etc\hosts to map the ip address to the FQND. Host file is always checked first.

      Reply
  3. jchan

    Thanks for the Great Post! It helped me and the others.

    Question – I have a pair of ASA and running in a active and standby mode, do I need to generate 2 CSR and install the signed certificate on both active and standby units?

    Reply
    1. admin

      I cant say that I have ever done active/standby for VPN configurations. Generally, we use the VPN load balancing feature for VPN ASAs. At any rate, since only one box is active and the backup is a duplicate config I would think you’d be ok with one certificate. The CSR isnt specific to the ASA, its specific to the certificate. If you have more than 2 ASAs, I’d cluster them and do VPN load balancing though. Try out the active/standby single cert config and post back if it works.

      Reply
  4. jchan

    I got this message when I tried to enroll, what should I do?

    (config)# crypto ca enroll
    WARNING: The certificate enrollment is configured with an fqdn
    that differs from the system fqdn. If this certificate will be
    used for VPN authentication this may cause connection problems.

    Would you like to continue with this enrollment? [yes/no]:

    Reply
  5. Rav

    Have you got instructions for installing a Go Daddy WildCard Cert on CISCO ASA, ASDM version 6.1? using the GUI

    Reply
    1. Jon Langemak Post author

      I don’t. Actually, I try to stay away from that since there have been historical issues with the ASDM not working for certificate management. Too many bugs for my taste.

      Reply

Leave a Reply to Rav Cancel reply

Your email address will not be published. Required fields are marked *