{"id":611,"date":"2010-11-01T15:20:51","date_gmt":"2010-11-01T20:20:51","guid":{"rendered":"http:\/\/it.thelibrarie.com\/weblog\/?p=611"},"modified":"2012-10-15T15:04:26","modified_gmt":"2012-10-15T20:04:26","slug":"install-ssl-certificate-on-cisco-asa-5510-ssl-vpn","status":"publish","type":"post","link":"https:\/\/it.thelibrarie.com\/weblog\/2010\/11\/install-ssl-certificate-on-cisco-asa-5510-ssl-vpn\/","title":{"rendered":"Install SSL Certificate on Cisco ASA 5510 SSL VPN"},"content":{"rendered":"<p>It&#8217;s never good practice to have your users get used to seeing &#8220;Certificate Invalid&#8221; errors on secure sites.  I know a lot of IT departments that train their users to just click past the errors.  What happens when you enable a Man in the Middle attack?  Cain and Abel anyone?<\/p>\n<p>So after we had our load balanced ASA5510&#8217;s setup, we purchased some licenses for SSLVPN Users.  Unfortunately that means the site must be secured AND have a certificate.  The self-signed cert is only good for testing.  Production requires an authenticated certificate from a globally trusted CA.  For our internal-facing sites we utilize GoDaddy (cheap certs).<\/p>\n<p>Create the CSR:<br \/>\nASDM for Cisco login<br \/>\nConfiguration, then Certificate Management, followed by Identity Certificates<br \/>\nClick Add<br \/>\nClick the radio button Add a new identity certificate<br \/>\nClick New&#8230; for a new key pair &#8211; I generally name it godaddy12 (vendor+year) and make it 2048 bit<br \/>\nIn the Certificate Subject DN, Add the CN (vpn.domain.tld MUST BE FQDN), the OU, the O, the C, the St, and the L as appropriate<br \/>\nClick on the advanced button and make sure the FQDN is the same as the CN you entered before (vpn.domain.tld)<br \/>\nNow click on Add Certificate<br \/>\nBrowse to where you want to save your CSR &#8211; I save it as ASA5510_12.csr.txt<\/p>\n<p>Godaddy Cert<br \/>\nPurchase the cert and download the certificate using the &#8220;other&#8221; category.  That way you get the CA cert (and intermediary) along with your identity certificate.<br \/>\nLog into your ADSM<br \/>\nSelect Configuration<br \/>\nSelect Device Management<br \/>\nExpand Certificate Management<br \/>\nSelect CA Certificates<br \/>\nClick Add, select the gd_bundle.crt<br \/>\nThen select Identity Certificates<br \/>\nClick on your CSR Request and click the Install button<br \/>\nSelect your SITENAME.crt<\/p>\n<p>Now we need to apply these certificates to the SSL Site!<br \/>\nUnder Configuration, Device Management still<br \/>\nExpand Advanced<br \/>\nSelect SSL Settings<br \/>\nClick on the interface where your SSLVPN terminates (in my case it was outside)<br \/>\nEdit this interface<br \/>\nSelect the Primary Enrolled Certificate and Load Balancing Enrolled Certificate (if applicable)<br \/>\nApply the settings<\/p>\n<p>Test your https:\/\/vpnsite<br \/>\nIf everything tests OK, save the configuration<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s never good practice to have your users get used to seeing &#8220;Certificate Invalid&#8221; errors on secure sites. I know a lot of IT departments that train their users to just click past the errors. What happens when you enable a Man in the Middle attack? Cain and Abel anyone? So after we had our &hellip; <a href=\"https:\/\/it.thelibrarie.com\/weblog\/2010\/11\/install-ssl-certificate-on-cisco-asa-5510-ssl-vpn\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Install SSL Certificate on Cisco ASA 5510 SSL VPN<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-611","post","type-post","status-publish","format-standard","hentry","category-networking"],"_links":{"self":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/comments?post=611"}],"version-history":[{"count":4,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/611\/revisions"}],"predecessor-version":[{"id":1029,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/611\/revisions\/1029"}],"wp:attachment":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/media?parent=611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/categories?post=611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/tags?post=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}