ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Thursday 13 October 2016

ASA as a CA server:

  October 13, 2016    



sh crypto ca certificate

ASA as a CA server:
====================

1. clock must be correct.
sh crypto mypubkey

Generate keys:

crypto key gen rsa label mykey modu 2048

crypto ca server

CA server ka naam:

issuer-name cisco

subject name default CN=nameofthe CA, C=IN

Start CA server : no shutdown

It will ask for a passphrase : give any key here


then u will see certificat server enabled.

crypto ca server user-db add mitin

goi to this URL : https://ip/+CSCOCA+/login.html

https://10.197.222.122/+CSCOCA+/login.html

https://172.16.0.22/+CSCOCA+/enroll.html

crypto ca server user-db allow mitin display-otp

it will disaply an OTP, give that OTP to user.
enter user name and OTP, he will get certificate downloaded.
enter the passphrase.


clear configure crypto ca server : to clear the configuration for CA
whenever we shut a ca server it will also delete the user database, so be careful here.


Via ASDM: local CA authority
manage user database>> allow regetration

as we enable CA server, we can see a CA certificate on firewal, where issued by and issued to will be same. THis is called as root certificate.






===========================================================
HOw to add certificate using CLI:

Generate CSR:
===============
Generate key : crypto key generate rsa label mykey mod 2048
crypto ca trustpoint ca
enrollment terminal : this iwill enable a terminal where we can copy and paste certificate text
enrollment self : this means generate a self sign certificate
Tell key pair to use:
keypair mykey

remove fqdn : fqdn none
subject name CN=asa.cisco.com
crypto ca enroll ca <trustpoint ka name>
Add device serial number : NO

this will genarate CSR.
now copy this and send to CA.

DER encoding and base 64 encodeing

crypto ca import ca certificate --------> this imports ID cert. crypto ca authenticate ca certificate ---> This imports Root CA cert, crypto ca enroll --->> to generate CSR. There are the only 3 options available.
paste here
quit

debug crypto ca message 255

If cert was generated with sha256 and we are trying to import it on older code 8.0,8.2 then it will give an error.

==========================================================
ECHQ VPN
vpn.ensenta.com


SCEP : simple certificat enrollment procedure
automatic enrollment procedure it is. we can conifgure asa to get a certificate automatically. ASA can be configured SECP client and then ASA will send the request to your CA server

http://10.197.222.221/certsrv/mscep/mscep.dll
ASA as SCEP client:
crypto ca trustpoint ca
enrollment url http://ip/certsrv/mscep/mscep.dll
subject-name CN=ASAme2
exit
crypto ca authenticate ca
this will autmatically downlaod root ca certificate

crypto ca import ca certificate/ crypto ca enroll ca certificate ----- > this will request certificate from CA using SCEP. both commands will do the same thing.

sh crypto ca certificate --> this will show you the ID certificate that we have received.

Ca server :  10.77.178.91





  No Comments

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)