Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
194
Views
2
Helpful
2
Replies

Providing certificates for ASA SSL VPN Authentication

Go to solution
Crag Muer
Level 1
Level 1

‎04-19-2024 04:20 PM

I'd like to know if it's possible to give a remote client a certificate that they can import to use for SSL VPN authentication instead of having them generate the request and giving it to us to sign and hand back to them. Using an enrollment server in our current environment is not feasible and having as little user interaction on the client side is greatly needed.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Crag Muer
Level 1
Level 1

‎04-19-2024 04:44 PM

In messing around with this a bit more I'm going to answer my own question here in case anyone is looking to do something similar.

As stated in the original question, our main requirement for this was to have as little end-user interaction as possible. Many of the clients we deal with are extremely weary of technology and even the mere mention of certificates is already too much. Our goal was to be able to provide a client with a single file they could double click and then use that for SSL VPN authentication.

So in order to do this, request a certificate with your CA, in our case a Windows Server running Microsoft certificate services, and then sign that certificate. Next you need to export that certificate with its private key included, so don't forget to make the private key exportable when you create the request. Next issue the certificate, but you can't simply export the issued certificate directly from certificate services. What you need to do first is export the certificate and then import it into the local certificate authorities certificate store (User/Machine - Personal Store). Then you can export it from there with the private key included and hand that single file to the client to double click and import into their certificate store.

View solution in original post

2 Replies 2

Go to solution
Crag Muer
Level 1
Level 1

‎04-19-2024 04:44 PM

In messing around with this a bit more I'm going to answer my own question here in case anyone is looking to do something similar.

As stated in the original question, our main requirement for this was to have as little end-user interaction as possible. Many of the clients we deal with are extremely weary of technology and even the mere mention of certificates is already too much. Our goal was to be able to provide a client with a single file they could double click and then use that for SSL VPN authentication.

So in order to do this, request a certificate with your CA, in our case a Windows Server running Microsoft certificate services, and then sign that certificate. Next you need to export that certificate with its private key included, so don't forget to make the private key exportable when you create the request. Next issue the certificate, but you can't simply export the issued certificate directly from certificate services. What you need to do first is export the certificate and then import it into the local certificate authorities certificate store (User/Machine - Personal Store). Then you can export it from there with the private key included and hand that single file to the client to double click and import into their certificate store.

Go to solution
Aref Alsouqi
VIP
VIP

‎04-20-2024 04:52 AM

If the endpoints are domain joined, you can push the certificates to them as part of joining the domain. In that case they will have zero interaction with anything.

0 Helpful
Customers Also Viewed These Support Documents