It’s never good practice to have your users get used to seeing “Certificate Invalid” errors on secure sites. I know a lot of IT departments that train their users to just click past the errors. What happens when you enable a Man in the Middle attack? Cain and Abel anyone?
So after we had our load balanced ASA5510’s setup, we purchased some licenses for SSLVPN Users. Unfortunately that means the site must be secured AND have a certificate. The self-signed cert is only good for testing. Production requires an authenticated certificate from a globally trusted CA. For our internal-facing sites we utilize GoDaddy (cheap certs).
Create the CSR:
ASDM for Cisco login
Configuration, then Certificate Management, followed by Identity Certificates
Click Add
Click the radio button Add a new identity certificate
Click New… for a new key pair – I generally name it godaddy12 (vendor+year) and make it 2048 bit
In the Certificate Subject DN, Add the CN (vpn.domain.tld MUST BE FQDN), the OU, the O, the C, the St, and the L as appropriate
Click on the advanced button and make sure the FQDN is the same as the CN you entered before (vpn.domain.tld)
Now click on Add Certificate
Browse to where you want to save your CSR – I save it as ASA5510_12.csr.txt
Godaddy Cert
Purchase the cert and download the certificate using the “other” category. That way you get the CA cert (and intermediary) along with your identity certificate.
Log into your ADSM
Select Configuration
Select Device Management
Expand Certificate Management
Select CA Certificates
Click Add, select the gd_bundle.crt
Then select Identity Certificates
Click on your CSR Request and click the Install button
Select your SITENAME.crt
Now we need to apply these certificates to the SSL Site!
Under Configuration, Device Management still
Expand Advanced
Select SSL Settings
Click on the interface where your SSLVPN terminates (in my case it was outside)
Edit this interface
Select the Primary Enrolled Certificate and Load Balancing Enrolled Certificate (if applicable)
Apply the settings
Test your https://vpnsite
If everything tests OK, save the configuration
I really wish that there would be a whole lot of different blogs such as this — informative as well as simple at the same time.
I was thinking about using godaddy, so i’m glad to hear that you have used their certs and that they work !
One question though, do you need to set up a dns lookup name for the 5510 for the certificate to work, or can people just connect to the ip address ?
You can definitely connect via IP address. It’s just easier to remember a DNS entry than an IP. And you cannot get an SSL certificate for an IP address.
I just wanted to say thank you so much for putting this together. It’s very informative, its easy to read and follow.