Cisco ASA – Adding a 3rd Party (Geotrust) SSL Certificate

Well the SECURE exam went well so now its straight on to the VPN exam. The content is almost all about SSL VPN. We have a few customers using it, but this seems like a chance to really get into the nitty-gritty. The usual issue with SSL VPNs is the certificate on the ASA is self-signed and causes all manner of security warnings which puts most customers right off. The task for this blog then is to install a real third party certificate fro GeoTrust and back it up. I’m installing this onto a lab ASA so I’d like to shift the certificate to a production machine eventually.

Step 1 – Get the time right

I usually get some time servers by querying uk.pool.ntp.org (from a unix prompt)

# host uk.pool.ntp.org
uk.pool.ntp.org has address 213.229.82.130
uk.pool.ntp.org has address 217.114.59.66
uk.pool.ntp.org has address 85.119.80.233

So now we can add this info via the ASDM or the CLI (shown):

SSL-ASA(config)# clock timezone GMT 0
SSL-ASA(config)# clock summer-time BST recurring

SSL-ASA(config)# ntp server 213.229.82.130 source OUTSIDE
SSL-ASA(config)# ntp server 85.119.80.233 source OUTSIDE
SSL-ASA(config)# ntp server 217.114.59.66 source OUTSIDE

SSL-ASA(config)# sh clock
09:56:10.370 BST Mon Apr 23 2012

Step 2 – Generate the CSR (Certificate Signing Request)

This can be done from the ASDM or by the CLI. I’ll be using the CLI – mainly because I hate doing screen grabs!

! Make a new rya key pair and label accordingly
SSL-ASA(config)# crypto key gen rsa label ssl.geotrust.key modulus 2048
INFO: The name for the keys will be: ssl.geotrust.key
Keypair generation process begin. Please wait...

! Create a trustpoint
SSL-ASA(config)# crypto ca trustpoint ssl.geotrust.trustpoint
SSL-ASA(config-ca-trustpoint)# subject-name CN=webvpn.gconnect.net,O=Gconnect,C=GB,St=Lancashire,L=Manchester
SSL-ASA(config-ca-trustpoint)# keypair ssl.geotrust.key
SSL-ASA(config-ca-trustpoint)# fqdn webvpn.gconnect.net
SSL-ASA(config-ca-trustpoint)# enrollment terminal 
SSL-ASA(config-ca-trustpoint)# exit

! Do the enrolment
SSL-ASA(config)# crypto ca enroll ssl.geotrust.trustpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment .. 
% The subject name in the certificate will be: CN=webvpn.gconnect.net,O=Gconnect,C=GB,St=Lancashire,L=Manchester

% The fully-qualified domain name in the certificate will be: webvpn.gconnect.net

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIIDEzCCAfsCAQAwgYwxEzARBgNVBAcTCk1hbmNoZXN0ZXIxEzARBgNVBAgTCkxh
bmNhc2hpcmUxCzAJBgNVBAYTAkdCMREwDwYDVQQKEwhHY29ubmVjdDEcMBoGA1UE
AxMTd2VidnBuLmdjb25uZWN0LddgaDEiMCAGCSqGSIb3DQEJAhYTd2VidnBuLmdj
b25uZWN0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN65G9ku
WP6wOmlk2JPwnZsrpCxFpHaFFi5OE+FgFoqJNTyx5Dlr+bn8jq9CiqTODj9pISQP
K/etElC3UPstC1LROgRsbU0FY6SBuDlvyLfm7L6hWCf2WUBvia+uWggHr4+wZa/v
xs45dPaw9SO3tHxPZZ/NlYcMrL4ycLIWIbUWL7VIyfWeoZNH/KtxZqsql6emQr3N
0AN8axJKGmumFcl3J2TS7H6PxCMNf0Sj0lT90EZt94d1DLKvrwJLhF/tkVA18soZ
/IeKhBbV6GwXKHDuzLtMng62djVa8/0ifobKo1kwuIW9itjeXntNdpfx5u/9dxbz
fGDqehIuikqidOECAwEAAaBBMD8GCSqGSIb3DQEJDjEyMDAwDgYDVR0PAQH/BAQD
AgWgMB4GA1UdEQQXMBWCE3dlYnZwbi5nY29ubmVjdC5uZXQwDQYJKoZIhvcNAQEE
BQADggEBAByj1zlHmbKM0FZIMUMt/LpiwonDd9h47xjdoycirkT1CUPB3ZUKXvSv
5nCnUOif+8HutasDddasdasde43\\nihI1Rj2KhLyOipTQr6FI25JGCBzBMw8i9z
FZWIKlnxp3DXmeUQINW/aurUvUOigiDPjy2goPrpZBnRLlZGKUjdFpfBpd04oVbu
5bsYSnJIIIaIW0Cseg3p4QFmhA/THr7P2vUE4o/VvzTBUGn5cU7gl2KM6pkqDWdg
DfO0nvfhSWp1d1YMGaQK1oBPO++K++mNIALK3UK/j/B8bsW5V3uIV9Zbun4+pYO5
r2POIrX+RFxLwJbLcR85krkLf5rJ8KI=
-----END CERTIFICATE REQUEST-----

Redisplay enrollment request? [yes/no]: no
SSL-ASA(config)#

Step 3 – Get Geotrust to sign off the the CSR

====/ TIME PASSES /====

Step 4 – Add the CA Certificate

We need to add the Geotrust Intermediate CA now, just like we do on a web server:

SSL-ASA(config)# crypto ca authenticate ssl.geotrust.trustpoint
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
IIi0tWeUz12OYjf+xLQ=
-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     f4858289 ead55c53 b36d4b55 3f267837 
Do you accept this certificate? [yes/no]: yes

Trustpoint 'ssl.geotrust.trustpoint' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.

% Certificate successfully imported

Step 5 – Now install the certificate

SSL-ASA(config)# crypto ca import ssl.geotrust.trustpoint certificate 
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: webvpn.gconnect.net

Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIE2DCCA8CgAwIBAgIDBBgxMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRh
dGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENBMB4XDTEyMDQyMTE3
MDkwMVoXDTEzMDQyNDE2MjQ1MFowgcoxKTAnBgNVBAUTIEI2V0RrdkVldk41aGtU
VlU0cHZvN0JHT0M1em5PbW1tMRMwEQYDVQQLEwpHVDc0Mjg5NDYzMTEwLwYDVQQL
EyhTZWUgd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzIChjKTEyMTcwNQYD
VQQLEy5Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBRdWlja1NTTChSKSBQcmVt
aXVtMRwwGgYDVQQDExN3ZWJ2cG4uZ2Nvbm5lY3QubmV0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA3rkb2S5Y/rA6aWTYk/CdmyukLEWkdoUWLk4T4WAW
iok1PLHkOWv5ufyOr0KKpM4OP2khJA8r960SULdQ+y0LUtE6BGxtTQVjpIG4OW/I
t+bsvqFYJ/ZZQG+Jr65aCAevj7Blr+/Gzjl09rD1I7e0fE9ln82VhwysvjJwshYh
tRYvtUjJ9Z6hk0f8q3FmqyqXp6ZCvc3QA3xrEkoaa6YVyXcnZNLsfo/EIw1/RKPS
VP3QRm33h3UMsq+vAkuEX+2RUDXyyhn8h4qEFtXobBcocO7Mu0yeDrZ2NVrz/SJ+
hsqjWTC4hb2K2N5ee012l/Hm7/13FvN8YOp6Ei6KSqJ04QIDAQABo4IBLTCCASkw
HwYDVR0jBBgwFoAUjPTZkwpHvACgSs5LdW6gtrCyfvwwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghN3ZWJ2
cG4uZ2Nvbm5lY3QubmV0MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9ndHNzbGR2
LWNybC5nZW90cnVzdC5jb20vY3Jscy9ndHNzbGR2LmNybDAdBgNVHQ4EFgQUxMLf
UpJV1xyt9rqRdEs4U/uFlBEwDAYDVR0TAQH/BAIwADBHBggrBgEFBQcBAQQ7MDkw
NwYIKwYBBQUHMAKGK2h0dHA6Ly9ndHNzbGR2LWFpYS5nZW90cnVzdC5jb20vZ3Rz
c2xkdi5jcnQwDQYJKoZIhvcNAQEFBQADggEBAA+/Zmk5conVk3z1qNxe+3/zIDH9
QZaWYHzW0mLr9TfAzpFRjiSGF/sBZIwGiPGO3vkwnWQdA7/97+3GwcFB8o9wgzbG
7K87gUmI/46u8vtEvo680aWODVC8hbw3rjJMx81pPrx5uKU4JYBFXkqebVwkNPf3
XZnkmfhe/P9CH/CjVUic0lzctXSLiKsc3/evs20LieKMSVFDGLP38qc3beygb1J5
7YzEk7oPQBu8NDDFC6DPVCxJ5FWIaL5/2vHK/A0Ok0apb4nrzOXfMC8nqJ9rm0x5
Ymy+MupppClpL3/w/qUm65culTpb9iVlsYi6svxJoaRVXwJ+9LwL7fe8bs8=
-----END CERTIFICATE-----
quit
INFO: Certificate successfully imported

Step 6 – Assign the certificate to the interface

SSL-ASA(config)# ssl trust-point ssl.geotrust.trustpoint outside

So that was fairly straightforward, but when I browsed to my ASA to run the ASDM from the INSIDE interface I got the usual plethora of certificate errors. Silly me, I needed to set the inside interface to se the new cert:

SSL-ASA(config)# ssl trust-point ssl.geotrust.trustpoint INSIDE

Now it all works fine. Of course I had to set up an appropriate DNS record to point at the ASA (OUTSIDE).

Backup and Restore

The last step is to make a backup of the ASA’s SSL trustpoint and associated gubbins:

SSL-ASA(config)# crypto ca export ssl.geotrust.trustpoint pkcs12 <password>

To add this back in afterwards, just use the following command:

SSL-ASA(config)# crypto ca import ssl.geotrust.trustpoint pkcs12 <password>

Well i’ll test that by hosing the config later on, when my other tests have finished – just in case!!!!

This entry was posted in Cisco and tagged , , . Bookmark the permalink.

Leave a Reply