08-02-2017 11:58 PM
hi,
i'm going to upgrade an ASA 5510 to ASA 5525-X. the existing 5510 is currently an anyconnect VPN server.
i noticed there's a trustpoint configured (old admin used/generate via ASDM) and pre-configure to the 5525.
does trustpoint have a dependency on anyconnect RA VPN?
will below config difference will 'break' anyconnnect?
ASA 5510 (ver 9.1)
crypto ca trustpoint ASDM_TrustPoint1
keypair ASDM_TrustPoint1
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 137a39
30820521 30820409 a
<SNIP>
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
ASA 5525-X (ver 9.4)
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
keypair ASDM_TrustPoint1
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 88368259
308202ba 308201a2
<SNIP>
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
Solved! Go to Solution.
08-03-2017 04:44 AM
The clients need to trust the VPN-Server. Is the certificate in ASDM_TrustPoint1 on the 5510 a self-signed one or one from a public CA? I would export the certificate and private-key on the old one and import it on the new ASA into a new trustpoint. Then activate this trustpoint for your VPN.
08-03-2017 08:50 AM
Ah - my oversight - you're correct. I had forgotten the ASA lets you export the pkcs12 blob. That does include both the certificate and private key.
I'm used to importing them in - like as a wildcard certificate - in which case I usually need to get a hold of the private key separately.
You can test your remote access VPN on the new ASA before going live with it - just plug your laptop into the outside interface and hard code its IP address as the ASA outside gateway, make a local host file entry on the laptop for the ASA's FQDN and launch Anyconnect as usual.
08-03-2017 04:44 AM
The clients need to trust the VPN-Server. Is the certificate in ASDM_TrustPoint1 on the 5510 a self-signed one or one from a public CA? I would export the certificate and private-key on the old one and import it on the new ASA into a new trustpoint. Then activate this trustpoint for your VPN.
08-03-2017 07:25 AM
hi karsten,
how would you check if cert is self-signed or from public CA? is there a command i could use?
i tried to copy/paste the cert hex key from the 5510 but it showed me an error:
ERROR: Public key contained in the device certificate doesn't match the device's
ciscoasa(config-ca-crl)# crypto ca certificate chain ASDM_TrustPoint1
ciscoasa(config-cert-chain)# certificate 137a39
Enter the certificate in hexadecimal representation....
ciscoasa# 30820521 30820409 a0030201 02020313
<SNIP>
ciscoasa(config-pubkey)# e3b0f8db a7
ciscoasa(config-pubkey)# quit
ERROR: Public key contained in the device certificate doesn't match the device's
i went ahead and generated a self-sign cert and enrolled afterwards.
ciscoasa(config)# crypto key generate rsa general-keys label ASDM_TrustPoint1 modulus 2048
INFO: The name for the keys will be: ASDM_TrustPoint1
Keypair generation process begin. Please wait...
ciscoasa(config)# crypto ca enroll ASDM_TrustPoint1
% The fully-qualified domain name in the certificate will be: ciscoasa
% Include the device serial number in the subject name? [yes/no]: no
Generate Self-Signed Certificate? [yes/no]: yes
after the above i was able to type this command:
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
i would assume the old admin did a self-sign cert since our environment doesn't have PKI.
please correct me when you say it's a public CA/PKI, it has the domain name, country, etc fields right?
08-03-2017 07:42 AM
You can look at the certificate with "show crypto ca certificate". But anyhow, if you export it on the old ASA and import it on the new one, it will have the same "trust-status" as before.
08-03-2017 07:54 AM
hi,
it looks like it has a public CA on the 5510.
could you advise on the steps on how to 'export' it to the 5525x?
or will the self-sign cert i generated on the 5525x will suffice?
# show crypto ca certificate
Certificate
Status: Available
Certificate Serial Number: 137a39
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=RapidSSL CA
o=GeoTrust\, Inc.
c=US
Subject Name:
cn=*.xyz.net
ou=Domain Control Validated - RapidSSL(R)
ou=See www.rapidssl.com/resources/cps (c)14
ou=GT02345214
serialNumber=XYa9uMV1vgWcrlFkJjw7pt-LVVABC123
OCSP AIA:
URL: http://rapidssl-ocsp.geotrust.com
CRL Distribution Points:
[1] http://rapidssl-crl.geotrust.com/crls/rapidssl.crl
Validity Date:
start date: 22:34:33 UTC Jun 15 2014
end date: 05:13:51 UTC Jul 18 2018
Associated Trustpoints: ASDM_TrustPoint1
08-03-2017 08:37 AM
Certificates that are referenced by trustpoints need several bits to make them valid on a given device. The certificate itself is just one of those bits.
You also need the private key that was used to generate the Certificate Signing Request (CSR). Without that, the certificate is invalid. Typically on an ASA the private key may not be exportable unless it was marked as such when generated. Your signing CA (geotrust in your example) is usually able to generate a new certificate when rehosting to a device where you are unable to copy over the original private key.
The other bits are any intermediate certificates in the chain between the public trusted root CA and the signing CA. That's also known as the certificate chain and is us ally available from the public CA's web site in various formats.
08-03-2017 08:42 AM
marvin,
can't i just do a export/import between 5510 and 5525 for the ASDM_TrustPoint1?
ciscoasa(config)# crypto ca export ASDM_TrustPoint1 pkcs12 cisco123
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIINrwIBAzCCDWkGCSqGSIb3DQEHAaCCDVoEgg1WMIINUjCCDU4GCSqGSIb3DQEH
<SNIP>
GgUABBTdNlD8PHam0stRBZK32os0BmrdQAQU99rJlI3qNx40t0AqZpijZ8RrqToC
AgQA
-----END PKCS12-----
08-03-2017 08:50 AM
Ah - my oversight - you're correct. I had forgotten the ASA lets you export the pkcs12 blob. That does include both the certificate and private key.
I'm used to importing them in - like as a wildcard certificate - in which case I usually need to get a hold of the private key separately.
You can test your remote access VPN on the new ASA before going live with it - just plug your laptop into the outside interface and hard code its IP address as the ASA outside gateway, make a local host file entry on the laptop for the ASA's FQDN and launch Anyconnect as usual.
08-03-2017 09:01 AM
marvin,
thanks for the tip!
one last thing, i've noticed the ASDM_TrustPoint0 CA cert has a longer validity till 2020 vs ASDM_TrustPoint1 which is valid only till 2018.
can i point to ASDM_TrustPoint0 instead?
will anyconnect 'break 'or won't work in 2018 when CA cert expires?
08-03-2017 09:22 AM
You can only use the certificate associated with your ASA's private key. It is also the certificate which has your ASA's FQDN as the Common Name (CN). That's what makes the whole chain of trust concept work.
Certificates always have a fixed lifetime and need to be re-issued (re-purchased in the case of public ones) when they expire.
If you let a certificate expire, the client will get a warning about an untrusted site due to invalid (expired) certificate when they connect. Unless they explicitly accept it, the SSL VPN will not establish.
08-03-2017 09:51 AM
Hi Marvin,
I started a thread a couple days ago about a problem with VPN but the communication is too slow and I need to solve this ASAP. Can you help me out please???
Thanks in advance. BR.
08-03-2017 06:49 PM
Please don't hijack unrelated threads.
08-03-2017 05:50 AM
Check the following:
sh run ssl | i trust-point
That will show you which trustpoint anyconnect is using.
08-03-2017 07:01 AM
hi marvin,
i got this line already pre-configured on the 5525-x.
i just need to ensure anyconnect will work before i do the cut over.
# sh run ssl | i trust-point
ssl trust-point ASDM_TrustPoint1 outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide