Well the SECURE exam went well so now its straight on to the VPN exam. The content is almost all about SSL VPN. We have a few customers using it, but this seems like a chance to really get into the nitty-gritty. The usual issue with SSL VPNs is the certificate on the ASA is self-signed and causes all manner of security warnings which puts most customers right off. The task for this blog then is to install a real third party certificate fro GeoTrust and back it up. I’m installing this onto a lab ASA so I’d like to shift the certificate to a production machine eventually.
Step 1 – Get the time right
I usually get some time servers by querying uk.pool.ntp.org (from a unix prompt)
# host uk.pool.ntp.org uk.pool.ntp.org has address 213.229.82.130 uk.pool.ntp.org has address 217.114.59.66 uk.pool.ntp.org has address 85.119.80.233
So now we can add this info via the ASDM or the CLI (shown):
SSL-ASA(config)# clock timezone GMT 0 SSL-ASA(config)# clock summer-time BST recurring SSL-ASA(config)# ntp server 213.229.82.130 source OUTSIDE SSL-ASA(config)# ntp server 85.119.80.233 source OUTSIDE SSL-ASA(config)# ntp server 217.114.59.66 source OUTSIDE SSL-ASA(config)# sh clock 09:56:10.370 BST Mon Apr 23 2012
Step 2 – Generate the CSR (Certificate Signing Request)
This can be done from the ASDM or by the CLI. I’ll be using the CLI – mainly because I hate doing screen grabs!
! Make a new rya key pair and label accordingly SSL-ASA(config)# crypto key gen rsa label ssl.geotrust.key modulus 2048 INFO: The name for the keys will be: ssl.geotrust.key Keypair generation process begin. Please wait... ! Create a trustpoint SSL-ASA(config)# crypto ca trustpoint ssl.geotrust.trustpoint SSL-ASA(config-ca-trustpoint)# subject-name CN=webvpn.gconnect.net,O=Gconnect,C=GB,St=Lancashire,L=Manchester SSL-ASA(config-ca-trustpoint)# keypair ssl.geotrust.key SSL-ASA(config-ca-trustpoint)# fqdn webvpn.gconnect.net SSL-ASA(config-ca-trustpoint)# enrollment terminal SSL-ASA(config-ca-trustpoint)# exit ! Do the enrolment SSL-ASA(config)# crypto ca enroll ssl.geotrust.trustpoint WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems. Would you like to continue with this enrollment? [yes/no]: yes % Start certificate enrollment .. % The subject name in the certificate will be: CN=webvpn.gconnect.net,O=Gconnect,C=GB,St=Lancashire,L=Manchester % The fully-qualified domain name in the certificate will be: webvpn.gconnect.net % Include the device serial number in the subject name? [yes/no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- MIIDEzCCAfsCAQAwgYwxEzARBgNVBAcTCk1hbmNoZXN0ZXIxEzARBgNVBAgTCkxh bmNhc2hpcmUxCzAJBgNVBAYTAkdCMREwDwYDVQQKEwhHY29ubmVjdDEcMBoGA1UE AxMTd2VidnBuLmdjb25uZWN0LddgaDEiMCAGCSqGSIb3DQEJAhYTd2VidnBuLmdj b25uZWN0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN65G9ku WP6wOmlk2JPwnZsrpCxFpHaFFi5OE+FgFoqJNTyx5Dlr+bn8jq9CiqTODj9pISQP K/etElC3UPstC1LROgRsbU0FY6SBuDlvyLfm7L6hWCf2WUBvia+uWggHr4+wZa/v xs45dPaw9SO3tHxPZZ/NlYcMrL4ycLIWIbUWL7VIyfWeoZNH/KtxZqsql6emQr3N 0AN8axJKGmumFcl3J2TS7H6PxCMNf0Sj0lT90EZt94d1DLKvrwJLhF/tkVA18soZ /IeKhBbV6GwXKHDuzLtMng62djVa8/0ifobKo1kwuIW9itjeXntNdpfx5u/9dxbz fGDqehIuikqidOECAwEAAaBBMD8GCSqGSIb3DQEJDjEyMDAwDgYDVR0PAQH/BAQD AgWgMB4GA1UdEQQXMBWCE3dlYnZwbi5nY29ubmVjdC5uZXQwDQYJKoZIhvcNAQEE BQADggEBAByj1zlHmbKM0FZIMUMt/LpiwonDd9h47xjdoycirkT1CUPB3ZUKXvSv 5nCnUOif+8HutasDddasdasde43\\nihI1Rj2KhLyOipTQr6FI25JGCBzBMw8i9z FZWIKlnxp3DXmeUQINW/aurUvUOigiDPjy2goPrpZBnRLlZGKUjdFpfBpd04oVbu 5bsYSnJIIIaIW0Cseg3p4QFmhA/THr7P2vUE4o/VvzTBUGn5cU7gl2KM6pkqDWdg DfO0nvfhSWp1d1YMGaQK1oBPO++K++mNIALK3UK/j/B8bsW5V3uIV9Zbun4+pYO5 r2POIrX+RFxLwJbLcR85krkLf5rJ8KI= -----END CERTIFICATE REQUEST----- Redisplay enrollment request? [yes/no]: no SSL-ASA(config)#
Step 3 – Get Geotrust to sign off the the CSR
====/ TIME PASSES /====
Step 4 – Add the CA Certificate
We need to add the Geotrust Intermediate CA now, just like we do on a web server:
SSL-ASA(config)# crypto ca authenticate ssl.geotrust.trustpoint Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8 KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE 60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1 SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB 2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/ ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM IIi0tWeUz12OYjf+xLQ= -----END CERTIFICATE----- quit INFO: Certificate has the following attributes: Fingerprint: f4858289 ead55c53 b36d4b55 3f267837 Do you accept this certificate? [yes/no]: yes Trustpoint 'ssl.geotrust.trustpoint' is a subordinate CA and holds a non self-signed certificate. Trustpoint CA certificate accepted. % Certificate successfully imported
Step 5 – Now install the certificate
SSL-ASA(config)# crypto ca import ssl.geotrust.trustpoint certificate WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems. Would you like to continue with this enrollment? [yes/no]: yes % The fully-qualified domain name in the certificate will be: webvpn.gconnect.net Enter the base 64 encoded certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIE2DCCA8CgAwIBAgIDBBgxMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRh dGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENBMB4XDTEyMDQyMTE3 MDkwMVoXDTEzMDQyNDE2MjQ1MFowgcoxKTAnBgNVBAUTIEI2V0RrdkVldk41aGtU VlU0cHZvN0JHT0M1em5PbW1tMRMwEQYDVQQLEwpHVDc0Mjg5NDYzMTEwLwYDVQQL EyhTZWUgd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzIChjKTEyMTcwNQYD VQQLEy5Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBRdWlja1NTTChSKSBQcmVt aXVtMRwwGgYDVQQDExN3ZWJ2cG4uZ2Nvbm5lY3QubmV0MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA3rkb2S5Y/rA6aWTYk/CdmyukLEWkdoUWLk4T4WAW iok1PLHkOWv5ufyOr0KKpM4OP2khJA8r960SULdQ+y0LUtE6BGxtTQVjpIG4OW/I t+bsvqFYJ/ZZQG+Jr65aCAevj7Blr+/Gzjl09rD1I7e0fE9ln82VhwysvjJwshYh tRYvtUjJ9Z6hk0f8q3FmqyqXp6ZCvc3QA3xrEkoaa6YVyXcnZNLsfo/EIw1/RKPS VP3QRm33h3UMsq+vAkuEX+2RUDXyyhn8h4qEFtXobBcocO7Mu0yeDrZ2NVrz/SJ+ hsqjWTC4hb2K2N5ee012l/Hm7/13FvN8YOp6Ei6KSqJ04QIDAQABo4IBLTCCASkw HwYDVR0jBBgwFoAUjPTZkwpHvACgSs5LdW6gtrCyfvwwDgYDVR0PAQH/BAQDAgWg MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghN3ZWJ2 cG4uZ2Nvbm5lY3QubmV0MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9ndHNzbGR2 LWNybC5nZW90cnVzdC5jb20vY3Jscy9ndHNzbGR2LmNybDAdBgNVHQ4EFgQUxMLf UpJV1xyt9rqRdEs4U/uFlBEwDAYDVR0TAQH/BAIwADBHBggrBgEFBQcBAQQ7MDkw NwYIKwYBBQUHMAKGK2h0dHA6Ly9ndHNzbGR2LWFpYS5nZW90cnVzdC5jb20vZ3Rz c2xkdi5jcnQwDQYJKoZIhvcNAQEFBQADggEBAA+/Zmk5conVk3z1qNxe+3/zIDH9 QZaWYHzW0mLr9TfAzpFRjiSGF/sBZIwGiPGO3vkwnWQdA7/97+3GwcFB8o9wgzbG 7K87gUmI/46u8vtEvo680aWODVC8hbw3rjJMx81pPrx5uKU4JYBFXkqebVwkNPf3 XZnkmfhe/P9CH/CjVUic0lzctXSLiKsc3/evs20LieKMSVFDGLP38qc3beygb1J5 7YzEk7oPQBu8NDDFC6DPVCxJ5FWIaL5/2vHK/A0Ok0apb4nrzOXfMC8nqJ9rm0x5 Ymy+MupppClpL3/w/qUm65culTpb9iVlsYi6svxJoaRVXwJ+9LwL7fe8bs8= -----END CERTIFICATE----- quit INFO: Certificate successfully imported
Step 6 – Assign the certificate to the interface
SSL-ASA(config)# ssl trust-point ssl.geotrust.trustpoint outside
So that was fairly straightforward, but when I browsed to my ASA to run the ASDM from the INSIDE interface I got the usual plethora of certificate errors. Silly me, I needed to set the inside interface to se the new cert:
SSL-ASA(config)# ssl trust-point ssl.geotrust.trustpoint INSIDE
Now it all works fine. Of course I had to set up an appropriate DNS record to point at the ASA (OUTSIDE).
Backup and Restore
The last step is to make a backup of the ASA’s SSL trustpoint and associated gubbins:
SSL-ASA(config)# crypto ca export ssl.geotrust.trustpoint pkcs12 <password>
To add this back in afterwards, just use the following command:
SSL-ASA(config)# crypto ca import ssl.geotrust.trustpoint pkcs12 <password>
Well i’ll test that by hosing the config later on, when my other tests have finished – just in case!!!!
