If you need to deploy Cisco’s AnyConnect VPN client to a larger number of users, the success of rolling it out goes dramatically smoother if you first install a public SSL certificate from a Certificate Authority (Digicert, Godaddy, etc.). The advantage of this this is… A) the AnyConnect client automatically downloads / installs without any user intervention and B) the end-user does not have to constantly click “Continue” at the variety of pop-ups and prompts warning the user of untrusted SSL connectivity.
For around $30 per year, GoDaddy will issue public identity certificates for you Cisco ASA Firewall / VPN appliance and so the procedure below shows how to do this with GoDaddy…
The procedure below assumes 1) you have CLI access to your ASA appliance and 2) you have already configured / verified AnyConnect operation on your Firewall.
STEP#0: Make preparations.
- Create an “A” or “CNAME” record in your public DNS zone to make it easier for your end users to open their web-browser and navigate to the Firewall. This is also important for CA signing of your identity certificate (the FQDN needs to match the public DNS record for trust purposes). I recommend an easy name like “VPN.YOURCOMPANYDNS.COM”
- Make sure you set the ASA’s domain-name to match the public DNS domain (if it is set to something like “yourcompany.local”, change it to “yourcompany.com”
(config)# domain-name yourcompany.com <enter>
- I recommend also setting the Firewall’s hostname to match the public hostname
(config)# hostname vpn <enter>
STEP#1: Obtain a CA/root cert before requesting an identity (ID) cert from the CA.
- Navigate to https://certs.godaddy.com/repository, click on “GoDaddy Certificate Chain, and download a compatible (I used the last link). This will download a file entitled “gd_bundle-g2-g1.crt”
- The Cisco ASA only supports a Base64 format so you must convert the format of this certificate before it can be pasted into the ASA CLI. You can convert the CA’s root certificate in Windows by right-clicking on the cert file and opening in Windows Crypto Shell Extensions…
- Next, click on the “Details” tab… then click “Copy to File”…
- Next, select “Base-64 encoded X.509 (.CER)” and save the file calling it something like “godaddy-root-cert.cer”.
- Now it’s time to create a Trustpoint and install this Godaddy root certificate (NOTE: THESE COMMANDS ASSUME YOU ARE IN GLOBAL CONFIGURATION MODE).
crypto ca trustpoint TP_1
enrollment terminal
crypto ca authenticate TP_1
-- COPY / PASTE THE CONTEXT OF “godaddy-root-cert.cer” --
quit
do you accept? yes
STEP#2: Generate New RSA Kepair
crypto key generate rsa label <godaddy.key> modulas 2048
STEP#3: Request a singing request certificate to send the the CA (which they will use to generate a publicly signed identity certificate for you to important).
crypto ca trustpoint TP_1
keypair <godaddy.key>
id-usage ssl-ipsec
no fqdn
subject-name CN=<VPN.YOURCOMPANY.COM>
crypto ca enroll TP_1
include device s/n in name yes
display request cert yes
- Next, save the encrypted context of what you see in the CLI (including “-----BEGIN CERTIFICATE REQUEST-----“ and “-----END CERTIFICATE REQUEST-----“) into a TXT file on your computer (I recommend naming it “GODADDY-SIGNING-REQUEST.txt”)
- Next, login in to your GoDaddy web-portal, navigate to the appropriate location, and upload and/or paste the encrypted contents where appropriate.
STEP#4: Receive / Import the public identification certificate. After a very short period of time (less than 5 minutes usually), you will receive (or have available in the web-portal the identification certificate.
- Download the public identity certificate (i.e., “2b1f2bbaaae955.crt”).
- As in Step#1, the ASA only supports a base64 format you you must convert the public identity certificate into “Base-64 encoded X.509 (.CER)” and save the file calling it something like “godaddy-identity-cert.cer”.
- Next, re-enter the Trustpoint and import the public identity certificate…
crypto ca trustpoint TP_1
crypto ca import TP_1 certificate
-- COPY / PASTE THE CONTEXT OF “godaddy-identity-cert.cer” --
quit
STEP#5: Once you have successfully installed the CA’s publically signed identity certificate, you must apply the associate Trustpoint to the WAN interface.
ssl trust-point TP_1 <outside>
STEP#6: Last, from an outside web-browser connection, navigate to the Firewall and verify the web-browser does not prompt you with a certificate security warning.
No comments:
Post a Comment