Certificate based RA VPN with openssl

Posted on November 22, 2010

1



The basic certificate based VPN is as easy as the VPN with pre-shared key. There is only some additional steps required from the ASA site. The problems arise if the clients starts to use certificates without knowing what and how they should do. As a Firewall administrator you can not have responsibility for all clients, but if they are not able to connect than you will be the first to be called. :-)
The steps required to configure certificate based VPN is the following:

ASA side steps

1. Create your RSA private-key.
2. Generate a Certificate request.
3 Export it and send it to CA you want to sing your CR
4. Import the signed Certificate to the ASA
5. Import the Certificate of your CA
6. Import the Certificates of your subordinate CAs and the root CA
7. Make a backup of your Certificates, private-keys

Client side steps

1. Create a Certificate request
2. Let the Client Certificate sign with the CA
3. Import the Certificate to the client
4. Connect and enjoy. You are ready, the clients can work through the secure access… :-)

In the detailed configuration I do NOT use SCEP as this is Windows stuff and I do not really like it. The Certificate Request of the ASA Firewall will be manually enrolled to the console. This should be copied to a text file with some modifications and should be sent to the CA administrator (in this case to myself).

ASA side steps

1. Create your RSA private-key.

# conf t
(config)# crypto key generate rsa label mycompany-priv-key modulus 2048
INFO: The name for the keys will be: mycompany-priv-key
Keypair generation process begin. Please wait…

2. Generate a certificate request.

If you need to use this VPN from IPad or IPhone than you need to use the fqdn command with the external IP of your firewall. In this example it is 2.2.2.2.
With this command you can include the indicated FQDN in the Subject Alternative Name extension of the certificate request during enrollment.

(config)# crypto ca trustpoint mycompany
(config-ca-trustpoint)# enrollment terminal
(config-ca-trustpoint)# fqdn 2.2.2.2
(config-ca-trustpoint)# subject-name CN=mycompany.mydomain.hu
(config-ca-trustpoint)# serial-number
(config-ca-trustpoint)# keypair mycompany-priv-key
(config-ca-trustpoint)# exit

and just a this

(config)# crypto ca enroll mycompany
% Start certificate enrollment .. 

% The fully-qualified domain name in the certificate will be: mycompany.mydomain.hu
% Include the device serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: JMX1432L0KX

Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MII…here should be the certificate request…

—End – This line not part of the certificate request—

Redisplay enrollment request? [yes/no]: no

3 Export it and send it to CA you want to sing your CR

—–BEGIN CERTIFICATE—–
Insert the asa certificate here
—–END CERTIFICATE—–

Create a directory for your Firewall as well and create a pem file with the certificate request.

$ mkdir fwasa
$ cd fwasa
$ echo “—–BEGIN CERTIFICATE REQUEST—–
> MII…here should be the certificate request…
> —–END CERTIFICATE REQUEST—–” > fwasa_req.pem

Lets verify the certificate request of the ASA firewall and see what we have it in the CR

$ cd ../sub_ca/
$ openssl req -in ../fwasa/fwasa_req.pem -verify -noout -config openssl.cnf
verify OK
$
$ openssl req -text -in ../fwasa/fwasa_req.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: serialNumber=JMX1432L0KX/unstructuredName=mycompany.mydomain.hu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b4:ed:3a:69:ef:cc:94:9d:73:5f:e4:ce:2b:9b:
77:63:91:b9:f9:c2:dd:87:40:ea:3a:70:8c:b5:19:
59:be:cb:b7:78:44:bc:f8:43:32:e7:f4:4b:f3:9b:
3c:4b:6e:af:70:ea:fd:fd:66:39:cc:84:dd:fc:a2:
13:25:95:ac:00:e5:33:0a:7f:0a:12:8c:cc:17:4e:
df:87:45:b2:e5:30:fc:92:78:64:9d:e2:a8:5e:ef:
05:c3:f8:56:4b:e8:61:97:ae:04:3f:28:ba:82:61:
67:f6:bf:01:2b:60:5f:16:00:15:7e:2d:28:18:42:
e6:6b:df:94:8c:c4:cb:ed:37
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:mycompany.mydomain.hu
Signature Algorithm: md5WithRSAEncryption
42:15:aa:13:a3:a1:07:b1:59:12:22:27:8c:08:04:86:96:65:
39:a9:62:4f:2d:9d:5a:3b:33:28:27:9c:60:8d:99:9c:f8:01:
6e:ce:ff:70:4e:41:31:18:d5:22:bf:35:41:3a:3e:19:e5:41:
64:70:77:4d:bc:32:2d:3c:a7:59:4b:95:4c:eb:a9:06:d8:27:
77:aa:51:07:ed:d5:07:99:11:95:5b:33:2a:f3:18:40:5e:ce:
9f:03:c0:54:52:d3:f6:04:ac:91:25:e3:b1:98:c1:99:d5:8b:
86:5c:32:7c:79:39:70:22:fc:c0:47:45:7d:0d:d7:56:35:e0:
f4:36
—–BEGIN CERTIFICATE REQUEST—–
MII…here should be the certificate request…
—–END CERTIFICATE REQUEST—–

In the default openssl configuration (openssl.cnf) we have the following policy for certificate requests.
The country, state and organization must match with the CA. If one of them is missing then you can have a message like “The mandatory countryName field was missing” and you get an empty certificate file.

policy = policy_match# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

The firewall certificate request does not contain  those fields in the certificate request. That means we need to modify our trustpoint and generate a new certificate request. (Or you can change the policy settings in your openssl.cnf).

(config)# crypto ca trustpoint mycompany
(config-ca-trustpoint)# enrollment terminal
(config-ca-trustpoint)# fqdn 2.2.2.2
(config-ca-trustpoint)# subject-name CN=mycompany.mydomain.hu,C=HU,ST=Budapest,L=Budapest,O=”My Company”,OU=Security
(config-ca-trustpoint)# serial-number
(config-ca-trustpoint)# keypair mycompany-priv-key
(config-ca-trustpoint)# exit 

(config)# crypto ca enroll mycompany
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=mycompany.mydomain.hu,C=HU,ST=Budapest,L=Budapest,O=”My Company”,OU=Security

% The fully-qualified domain name in the certificate will be: 2.2.2.2

% The serial number in the certificate will be: JMX1432L0KX

Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MII…here should be the certificate request…

—End – This line not part of the certificate request—

Redisplay enrollment request? [yes/no]: no
(config)#

After create the pem file of the ASA certificate request we should check again and of course sign it.
Before we do that we need to enable in the openssl.cnf configuration file something to let the extensions such as Subject AltName in the certificate. This is called v3_req as bellow:

req_extensions = v3_req

and now we can go on the sign the certificate.

$ cd fwasa
$ echo “—–BEGIN CERTIFICATE REQUEST—–
MII…here should be the certificate request…
—–END CERTIFICATE REQUEST—–” > fwasa_req.pem
$ cd ../sub_ca/
$ openssl req -in ../fwasa/fwasa_req.pem -verify -noout -config openssl.cnf
verify OK
$
$ openssl req -text -in ../fwasa/fwasa_req.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: OU=Security, O=My Company, L=Budapest, ST=Budapest, C=HU, CN=mycompany.mydomain.hu/serialNumber=JMX1432L0KX/unstructuredName=2.2.2.2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a2:91:0a:d8:11:72:51:54:9b:77:78:4e:a2:c8:
52:7a:56:81:a6:1f:45:c5:ea:a2:c0:b8:ed:2d:a0:
65:4f:5b:f2:7a:79:a1:71:6c:d6:b6:ed:ed:56:68:
99:f4:d7:d8:a7:69:f2:ba:e6:be:4f:7e:27:bd:5b:
81:a2:45:f6:24:0e:15:90:e3:98:e4:cf:b2:81:11:
be:86:9a:8d:87:27:06:78:eb:05:bf:30:ab:d9:b3:
b7:de:50:b7:dc:b4:e3:a4:a2:4e:74:bd:ba:e2:58:
b2:f1:67:31:ca:4e:e6:6e:23:f5:58:51:91:f4:2b:
4e:39:2b:46:9e:0e:34:87:69:98:12:fb:ae:78:be:
88:77:ab:ff:0d:9f:a6:db:3a:ad:84:ec:8f:95:91:
97:d0:87:4a:b2:d6:9d:77:2e:6d:1d:c2:bc:53:d9:
9b:5b:ae:2e:85:7f:a1:59:f7:9b:56:95:1d:84:b3:
90:95:6e:7e:ec:54:f4:a6:e1:e2:31:11:ec:c0:a2:
7b:11:64:e8:f9:c5:27:e3:87:64:2e:bc:19:8a:e5:
25:8d:6d:8e:49:c7:ad:c0:18:36:b0:16:6b:d3:a0:
fd:16:63:0f:4b:b4:f3:7a:4f:72:6c:63:1b:27:53:
ed:20:d5:e6:b8:4f:c1:f9:29:08:53:e9:71:5c:67:
04:dd
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:2.2.2.2
Signature Algorithm: md5WithRSAEncryption
65:fa:22:56:94:df:92:ae:43:56:89:84:41:d3:27:6b:33:26:
fc:24:f6:59:a9:b6:78:d9:19:7c:8f:64:51:50:74:64:2c:96:
c7:e9:12:20:e4:40:25:71:21:a9:8b:35:00:62:01:02:74:0c:
6a:23:2b:59:89:a0:4e:69:73:aa:08:d0:d4:14:5e:72:ed:b5:
7e:ca:26:b3:9b:21:ae:2e:ca:21:57:0b:a5:6a:d8:97:a6:bc:
1a:3f:34:b4:16:8a:1e:0a:55:c8:2b:ce:3a:f7:88:7a:8a:16:
99:0b:7a:bb:00:21:01:cd:49:27:55:4b:0e:46:3b:67:86:01:
b8:09:0b:2f:18:6e:ad:51:dc:4f:a4:79:3a:9b:54:b7:f3:74:
66:70:0b:3a:e4:c2:9c:03:5c:b0:f1:74:62:f4:14:2e:3b:83:
97:cf:97:c7:68:30:01:f4:8e:6b:02:d3:9d:2d:80:c0:47:da:
70:79:b7:26:dc:86:a7:b4:6b:c4:8d:a7:29:31:3f:ce:57:e3:
63:4c:6e:69:0b:78:a4:30:f2:2d:0b:91:62:09:2f:16:b8:34:
33:ef:fc:82:75:b7:73:26:93:b3:47:33:65:98:f2:e6:4a:20:
6a:95:7e:8c:c2:05:fe:25:12:c1:a1:98:36:18:0b:a3:b4:3b:
8a:15:16:65
—–BEGIN CERTIFICATE REQUEST—–
MII…here should be the certificate request…
—–END CERTIFICATE REQUEST—–

That’s it, we have all the matching field in CR for our CA. We need to sign it now.

$ openssl ca -in ../fwasa/fwasa_req.pem -out ../fwasa/fwasa_cert.pem -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 256 (0x100)
Validity
Not Before: Nov 23 12:11:57 2010 GMT
Not After : Nov 23 12:11:57 2011 GMT
Subject:
countryName = HU
stateOrProvinceName = Budapest
organizationName = My Company
organizationalUnitName = Security
commonName = mycompany.mydomain.hu
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6D:10:EF:50:8A:12:D1:9E:EF:42:91:88:94:FB:AA:4B:28:B4:CA:E2
X509v3 Authority Key Identifier:
keyid:B5:6E:8C:8C:DC:EE:91:31:B2:EA:40:C1:F0:F3:89:F9:04:3F:04:8D 

Certificate is to be certified until Nov 23 12:11:57 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

4. Import the signed Certificate to the ASA

(config)# crypto ca import mycompany certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems. 

Would you like to continue with this enrollment? [yes/no]: y

% The fully-qualified domain name in the certificate will be: 2.2.2.2

Enter the base 64 encoded certificate.
End with the word “quit” on a line by itself
MII…here should be the certificate request…
quit
INFO: Certificate successfully imported
(config)#

5. Import the Certificate of your CA

(config)# crypto ca authenticate mycompany
Enter the base 64 encoded CA certificate.
End with the word “quit” on a line by itself
—–BEGIN CERTIFICATE—–
MII…here should be the certificate request…
—–END CERTIFICATE—–
quit 

INFO: Certificate has the following attributes:
Fingerprint: 48074e30 5ed1307f 32d85844 d1ac67b7
Do you accept this certificate? [yes/no]: yes

Trustpoint ‘mycompany’ is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.

% Certificate successfully imported
(config)#

6. Import the Certificates of your subordinate CAs and the root CA

(config)# crypto ca trustpoint mycompany_rootca
(config-ca-trustpoint)# enrollment terminal
(config-ca-trustpoint)# exit
(config)# crypto ca authenticate mycompany_rootca
Enter the base 64 encoded CA certificate.
End with the word “quit” on a line by itself
—–BEGIN CERTIFICATE—–
MII…here should be the certificate request…
—–END CERTIFICATE—–
quit 

INFO: Certificate has the following attributes:
Fingerprint: f1af48ee bc5d1c1d 9f96ec3e bcef986b
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

% Certificate successfully imported
(config)#

7. Make a backup of your Certificates, private-keys

(config)# crypto ca export mycompany pkcs12 yourpasswordhere
and the restore
(config)# crypto ca import mycompany pkcs12 yourpasswordhere
Advertisements
Posted in: ASA, Cisco, Security, VPN