The basic certificate based VPN is as easy as the VPN with pre-shared key. There is only some additional steps required from the ASA site. The problems arise if the clients starts to use certificates without knowing what and how they should do. As a Firewall administrator you can not have responsibility for all clients, but if they are not able to connect than you will be the first to be called. :-)
The steps required to configure certificate based VPN is the following:
ASA side steps
1. Create your RSA private-key.
2. Generate a Certificate request.
3 Export it and send it to CA you want to sing your CR
4. Import the signed Certificate to the ASA
5. Import the Certificate of your CA
6. Import the Certificates of your subordinate CAs and the root CA
7. Make a backup of your Certificates, private-keys
Client side steps
1. Create a Certificate request
2. Let the Client Certificate sign with the CA
3. Import the Certificate to the client
4. Connect and enjoy. You are ready, the clients can work through the secure access… :-)
In the detailed configuration I do NOT use SCEP as this is Windows stuff and I do not really like it. The Certificate Request of the ASA Firewall will be manually enrolled to the console. This should be copied to a text file with some modifications and should be sent to the CA administrator (in this case to myself).
ASA side steps
1. Create your RSA private-key.
| # conf t (config)# crypto key generate rsa label mycompany-priv-key modulus 2048 INFO: The name for the keys will be: mycompany-priv-key Keypair generation process begin. Please wait… |
2. Generate a certificate request.
If you need to use this VPN from IPad or IPhone than you need to use the fqdn command with the external IP of your firewall. In this example it is 2.2.2.2.
With this command you can include the indicated FQDN in the Subject Alternative Name extension of the certificate request during enrollment.
| (config)# crypto ca trustpoint mycompany (config-ca-trustpoint)# enrollment terminal (config-ca-trustpoint)# fqdn 2.2.2.2 (config-ca-trustpoint)# subject-name CN=mycompany.mydomain.hu (config-ca-trustpoint)# serial-number (config-ca-trustpoint)# keypair mycompany-priv-key (config-ca-trustpoint)# exit |
and just a this
| (config)# crypto ca enroll mycompany % Start certificate enrollment .. % The fully-qualified domain name in the certificate will be: mycompany.mydomain.hu Display Certificate Request to terminal? [yes/no]: yes MII…here should be the certificate request… —End – This line not part of the certificate request— Redisplay enrollment request? [yes/no]: no |
3 Export it and send it to CA you want to sing your CR
| —–BEGIN CERTIFICATE—– Insert the asa certificate here —–END CERTIFICATE—– |
Create a directory for your Firewall as well and create a pem file with the certificate request.
| $ mkdir fwasa $ cd fwasa $ echo “—–BEGIN CERTIFICATE REQUEST—– > MII…here should be the certificate request… > —–END CERTIFICATE REQUEST—–” > fwasa_req.pem |
Lets verify the certificate request of the ASA firewall and see what we have it in the CR
| $ cd ../sub_ca/ $ openssl req -in ../fwasa/fwasa_req.pem -verify -noout -config openssl.cnf verify OK $ $ openssl req -text -in ../fwasa/fwasa_req.pem Certificate Request: Data: Version: 0 (0x0) Subject: serialNumber=JMX1432L0KX/unstructuredName=mycompany.mydomain.hu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:ed:3a:69:ef:cc:94:9d:73:5f:e4:ce:2b:9b: 77:63:91:b9:f9:c2:dd:87:40:ea:3a:70:8c:b5:19: 59:be:cb:b7:78:44:bc:f8:43:32:e7:f4:4b:f3:9b: 3c:4b:6e:af:70:ea:fd:fd:66:39:cc:84:dd:fc:a2: 13:25:95:ac:00:e5:33:0a:7f:0a:12:8c:cc:17:4e: df:87:45:b2:e5:30:fc:92:78:64:9d:e2:a8:5e:ef: 05:c3:f8:56:4b:e8:61:97:ae:04:3f:28:ba:82:61: 67:f6:bf:01:2b:60:5f:16:00:15:7e:2d:28:18:42: e6:6b:df:94:8c:c4:cb:ed:37 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:mycompany.mydomain.hu Signature Algorithm: md5WithRSAEncryption 42:15:aa:13:a3:a1:07:b1:59:12:22:27:8c:08:04:86:96:65: 39:a9:62:4f:2d:9d:5a:3b:33:28:27:9c:60:8d:99:9c:f8:01: 6e:ce:ff:70:4e:41:31:18:d5:22:bf:35:41:3a:3e:19:e5:41: 64:70:77:4d:bc:32:2d:3c:a7:59:4b:95:4c:eb:a9:06:d8:27: 77:aa:51:07:ed:d5:07:99:11:95:5b:33:2a:f3:18:40:5e:ce: 9f:03:c0:54:52:d3:f6:04:ac:91:25:e3:b1:98:c1:99:d5:8b: 86:5c:32:7c:79:39:70:22:fc:c0:47:45:7d:0d:d7:56:35:e0: f4:36 —–BEGIN CERTIFICATE REQUEST—– MII…here should be the certificate request… —–END CERTIFICATE REQUEST—– |
In the default openssl configuration (openssl.cnf) we have the following policy for certificate requests.
The country, state and organization must match with the CA. If one of them is missing then you can have a message like “The mandatory countryName field was missing” and you get an empty certificate file.
| policy = policy_match# For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional |
The firewall certificate request does not contain those fields in the certificate request. That means we need to modify our trustpoint and generate a new certificate request. (Or you can change the policy settings in your openssl.cnf).
| (config)# crypto ca trustpoint mycompany (config-ca-trustpoint)# enrollment terminal (config-ca-trustpoint)# fqdn 2.2.2.2 (config-ca-trustpoint)# subject-name CN=mycompany.mydomain.hu,C=HU,ST=Budapest,L=Budapest,O=”My Company”,OU=Security (config-ca-trustpoint)# serial-number (config-ca-trustpoint)# keypair mycompany-priv-key (config-ca-trustpoint)# exit (config)# crypto ca enroll mycompany Would you like to continue with this enrollment? [yes/no]: yes % The fully-qualified domain name in the certificate will be: 2.2.2.2 % The serial number in the certificate will be: JMX1432L0KX Display Certificate Request to terminal? [yes/no]: yes MII…here should be the certificate request… —End – This line not part of the certificate request— Redisplay enrollment request? [yes/no]: no |
After create the pem file of the ASA certificate request we should check again and of course sign it.
Before we do that we need to enable in the openssl.cnf configuration file something to let the extensions such as Subject AltName in the certificate. This is called v3_req as bellow:
| req_extensions = v3_req |
and now we can go on the sign the certificate.
| $ cd fwasa $ echo “—–BEGIN CERTIFICATE REQUEST—– MII…here should be the certificate request… —–END CERTIFICATE REQUEST—–” > fwasa_req.pem $ cd ../sub_ca/ $ openssl req -in ../fwasa/fwasa_req.pem -verify -noout -config openssl.cnf verify OK $ $ openssl req -text -in ../fwasa/fwasa_req.pem Certificate Request: Data: Version: 0 (0x0) Subject: OU=Security, O=My Company, L=Budapest, ST=Budapest, C=HU, CN=mycompany.mydomain.hu/serialNumber=JMX1432L0KX/unstructuredName=2.2.2.2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a2:91:0a:d8:11:72:51:54:9b:77:78:4e:a2:c8: 52:7a:56:81:a6:1f:45:c5:ea:a2:c0:b8:ed:2d:a0: 65:4f:5b:f2:7a:79:a1:71:6c:d6:b6:ed:ed:56:68: 99:f4:d7:d8:a7:69:f2:ba:e6:be:4f:7e:27:bd:5b: 81:a2:45:f6:24:0e:15:90:e3:98:e4:cf:b2:81:11: be:86:9a:8d:87:27:06:78:eb:05:bf:30:ab:d9:b3: b7:de:50:b7:dc:b4:e3:a4:a2:4e:74:bd:ba:e2:58: b2:f1:67:31:ca:4e:e6:6e:23:f5:58:51:91:f4:2b: 4e:39:2b:46:9e:0e:34:87:69:98:12:fb:ae:78:be: 88:77:ab:ff:0d:9f:a6:db:3a:ad:84:ec:8f:95:91: 97:d0:87:4a:b2:d6:9d:77:2e:6d:1d:c2:bc:53:d9: 9b:5b:ae:2e:85:7f:a1:59:f7:9b:56:95:1d:84:b3: 90:95:6e:7e:ec:54:f4:a6:e1:e2:31:11:ec:c0:a2: 7b:11:64:e8:f9:c5:27:e3:87:64:2e:bc:19:8a:e5: 25:8d:6d:8e:49:c7:ad:c0:18:36:b0:16:6b:d3:a0: fd:16:63:0f:4b:b4:f3:7a:4f:72:6c:63:1b:27:53: ed:20:d5:e6:b8:4f:c1:f9:29:08:53:e9:71:5c:67: 04:dd Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:2.2.2.2 Signature Algorithm: md5WithRSAEncryption 65:fa:22:56:94:df:92:ae:43:56:89:84:41:d3:27:6b:33:26: fc:24:f6:59:a9:b6:78:d9:19:7c:8f:64:51:50:74:64:2c:96: c7:e9:12:20:e4:40:25:71:21:a9:8b:35:00:62:01:02:74:0c: 6a:23:2b:59:89:a0:4e:69:73:aa:08:d0:d4:14:5e:72:ed:b5: 7e:ca:26:b3:9b:21:ae:2e:ca:21:57:0b:a5:6a:d8:97:a6:bc: 1a:3f:34:b4:16:8a:1e:0a:55:c8:2b:ce:3a:f7:88:7a:8a:16: 99:0b:7a:bb:00:21:01:cd:49:27:55:4b:0e:46:3b:67:86:01: b8:09:0b:2f:18:6e:ad:51:dc:4f:a4:79:3a:9b:54:b7:f3:74: 66:70:0b:3a:e4:c2:9c:03:5c:b0:f1:74:62:f4:14:2e:3b:83: 97:cf:97:c7:68:30:01:f4:8e:6b:02:d3:9d:2d:80:c0:47:da: 70:79:b7:26:dc:86:a7:b4:6b:c4:8d:a7:29:31:3f:ce:57:e3: 63:4c:6e:69:0b:78:a4:30:f2:2d:0b:91:62:09:2f:16:b8:34: 33:ef:fc:82:75:b7:73:26:93:b3:47:33:65:98:f2:e6:4a:20: 6a:95:7e:8c:c2:05:fe:25:12:c1:a1:98:36:18:0b:a3:b4:3b: 8a:15:16:65 —–BEGIN CERTIFICATE REQUEST—– MII…here should be the certificate request… —–END CERTIFICATE REQUEST—– |
That’s it, we have all the matching field in CR for our CA. We need to sign it now.
| $ openssl ca -in ../fwasa/fwasa_req.pem -out ../fwasa/fwasa_cert.pem -config openssl.cnf Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 256 (0x100) Validity Not Before: Nov 23 12:11:57 2010 GMT Not After : Nov 23 12:11:57 2011 GMT Subject: countryName = HU stateOrProvinceName = Budapest organizationName = My Company organizationalUnitName = Security commonName = mycompany.mydomain.hu X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6D:10:EF:50:8A:12:D1:9E:EF:42:91:88:94:FB:AA:4B:28:B4:CA:E2 X509v3 Authority Key Identifier: keyid:B5:6E:8C:8C:DC:EE:91:31:B2:EA:40:C1:F0:F3:89:F9:04:3F:04:8D Certificate is to be certified until Nov 23 12:11:57 2011 GMT (365 days) 1 out of 1 certificate requests certified, commit? [y/n]y |
4. Import the signed Certificate to the ASA
| (config)# crypto ca import mycompany certificate WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems. Would you like to continue with this enrollment? [yes/no]: y % The fully-qualified domain name in the certificate will be: 2.2.2.2 Enter the base 64 encoded certificate. |
5. Import the Certificate of your CA
| (config)# crypto ca authenticate mycompany Enter the base 64 encoded CA certificate. End with the word “quit” on a line by itself —–BEGIN CERTIFICATE—– MII…here should be the certificate request… —–END CERTIFICATE—– quit INFO: Certificate has the following attributes: Trustpoint ‘mycompany’ is a subordinate CA and holds a non self-signed certificate. % Certificate successfully imported |
6. Import the Certificates of your subordinate CAs and the root CA
| (config)# crypto ca trustpoint mycompany_rootca (config-ca-trustpoint)# enrollment terminal (config-ca-trustpoint)# exit (config)# crypto ca authenticate mycompany_rootca Enter the base 64 encoded CA certificate. End with the word “quit” on a line by itself —–BEGIN CERTIFICATE—– MII…here should be the certificate request… —–END CERTIFICATE—– quit INFO: Certificate has the following attributes: % Certificate successfully imported |
7. Make a backup of your Certificates, private-keys
| (config)# crypto ca export mycompany pkcs12 yourpasswordhere and the restore (config)# crypto ca import mycompany pkcs12 yourpasswordhere |
itsecworks 
November 29th, 2010 → 8:04 am
[…] In the following example we use a certificate for the ssl vpn. Lets assume that the trustpoint and the client certificate is already configured. For the certificate creation part the following document can help: https://itsecworks.wordpress.com/2010/11/22/certificate-based-vpn/ […]