ASA  - Local CA(Certificate Authority) Server

 

GENERAL CONFIGURATION

  • configure smtp server
(config)# smtp-server ip_of_smtp_server
  • generate RSA key pair

(config)#crypto key generate rsa

 

  • generate RSA key pair and assign label to key pair.(recommended)

config)# crypto key generate rsa label ASA-CA

 

INFO: The name for the keys will be: ASA-CA
Keypair generation process begin. Please wait...

(config)# webvpn

enable website (this is part of webvpn however to see webpage it has to be enabled). I suggest to do it when we will start to enroll user and VPN configuration is done.

(config-webvpn)# enable outside

enable on interface outside

 

  •  check your key pair

(config)# show  crypto key mypubkey rsa

Key pair was generated at: 18:24:26 UTC Jan 26 2013

Key name: ASA-CA
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a4856a
..............................................................................
73d87a1e 0509bc1b e9d59ba5 412498e7 4ff99e39 07e8a39f ec3f8d7f d9020301 0001

I have more key pairs so I show you only ASA-CA

 

LOCAL CA CONFIGURATION

  • enable local CA server

To use Local CA Server ,ASA cannot be in failover mode!!!

(config)# crypto ca server

  • tune your CA server because after typing "no shutdown" configuration will be locked

(config)#issuer-name C="PL", CN=DANPOL-ASA-CA, EA=user@domain, L=KATOWICE, OU=IT, ST=SILESIA, SN= "Adrian Danek"

all in one line

 issuer-name "dn", allowed attributes are:

 C = country, CN=common name, EA=e-mail address, L=locality, O=organization Name, OU=organization unit, ST=state/province, SN=surname

(config-ca-server)# smtp subject DANPOL-ASA-CA - enrollment

this is info is added to subject to every email sent from ASA to user for enrollment purposes

(config-ca-server)# smtp from-address danpol-asa-ca@domain

this configure email address(FROM:) in every email sent by DANPOL-ASA-CA

(config-ca-server)# subject-name-default C="PL", CN="Support Engineer", O=DANPOL

this will be added to every user certificate.If you do not specify it every time you add new user you have to put this info.

 

(config-ca-server)# cdp-url http://interface_IP/danpol-asa-ca.crl

path with crl list, in most cases it will be external interface - default is http://hostname.domain/+CSCOCA+/asa_ca.crl

(config-ca-server)# lifetime ca-certificate 3650 

liftime of CA-certificate(self-signed) in days - default is 3 years

 

(config-ca-server)# lifetime certificate 365

liftime fo user certificate in days

(config-ca-server)# lifetime crl 100

liftime of CRL list in hours. Default is 6 hours.

This list is reissued every time certificate is revoked or unrevoked or if no revocation changes occur during lifetime it is reissued automatically once each CRL lifetime.

(config-ca-server)# keysize server 2048 

it is modulus for CA certificate - possible options are 512,768,1024,2048. Choosing proper key size take into account load of VPN traffic.

(config-ca-server)# keysize 2048 

it is modulus for user certificate - possible options are 512,768,1024,2048. Choosing proper key size take into account load of VPN traffic.



(config-ca-server)# otp expiration 120

time when otp(one time password) is valid in hours - default is 72 hours. This password is for certificate enrollment on website and to unclock PKCS12 file(certificate and keypair)

(config-ca-server)# enrollment-retrieval 240

time when when user can retrive a PKCS12 file. This time is independent of OTP time and starts when user is uccessfully enrolled.Default is 24 hours

 

(config-ca-server)# renewal-reminder 30

time in days to reenroll(renewal) certificate

(config-ca-server)# publish-crl outside

publish initial CRL

(config-ca-server)# no shutdown

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: type password for private key

Re-enter passphrase: repeat password for private key

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
INFO:
Certificate Server enabled.

  • check your CA server

(config)# show crypto ca server

 

Certificate Server LOCAL-CA-SERVER:
Status: enabled
State: enabled
Server's configuration is locked (enter "shutdown" to unlock it)
Issuer name: C="PL", CN=DANPOL-ASA-CA, EA=user@domain, L=KATOWICE, OU=IT, ST=SILESIA, SN="Adrian Danek"
CA certificate fingerprint/thumbprint: (MD5)
19c10325 8420c21f e25157a7 b8e41d09
CA certificate fingerprint/thumbprint: (SHA1)
43d4c577 fabd2f1a 7484b2b1 5cd0b2bd 192bddb9
Last certificate issued serial number: 0x1
CA certificate expiration timer: 20:53:19 UTC Jan 24 2023
CRL NextUpdate timer: 00:53:19 UTC Jan 31 2013
Current primary storage dir: flash:/LOCAL-CA-SERVER/

Auto-Rollover configured, overlap period 30 days
Autorollover timer: 20:53:18 UTC Dec 25 2022

WARNING: Configuration has been modified and needs to be saved!!

  •  save config

#wr


 ADDING USERS TO DATABASE

  • adding new user to database

crypto ca server user-db add username [dn dn] [email emailaddress

crypto ca server user-db add adrianda email userk@domain

I do not set dn because I will use general dn name(subject-name-default option)

  • add permission to user adrianda for enrollment

(config)# crypto ca server user-db allow user adrianda


 USER ENROLLMENT

  - Asa side

  •  notifies user to enroll via email(if email is known)

(config)# crypto ca server user-db email-otp user adrianda

  • notifies user to enroll and download PKCS12 file(we do not add email during adding user to database)

(config)# crypto ca server user-db show-otp user adrianda

Username: adrianda
OTP: 3ED032EB8E24BC4D
Enrollment Allowed Until: 21:59:49 UTC Thu Jan 31 2013

 check otp password for user adrianda and give it to user together with URL in any possible method.

 - user side

  • user should received email with details if first method  is used. FQDN has to have valid dns record.
asa-localca-1.png
  • log in on website using user account and OTP password
asa-localca-2.png
download username.p12 file and use in either ssl or standard vpn.(OTP password is used to unlock PKCS file)

asa-localca-4.png

  • in second option you have to give user all information (with URL)  to allow enrollment.

CRL LIST
  • CRL list can be obtain under URL configured during CA server configuration. in my case http://ip_address/danpol-asa-ca.crl
asa-localca-3.png
you can use this URL with CRL in any application(on picture example using with browser).

  • check status CRL list 

#sh crypto ca server crl


Certificate Revocation List:
Issuer: c=PL,cn=DANPOL-ASA-CA,ea=user@domain,l=KATOWICE,ou=IT,o=DANPOL,st=SILESIA,sn=Adrian Danek
This Update: 09:43:20 UTC Jan 27 2013
Next Update: 13:43:20 UTC Jan 31 2013
Number of CRL entries: 0
CRL size: 491 bytes

Based on the output it means no certificates has been revoked.

 

  • issue crl list manually(if needed)

(config)# crypto ca server crl issue


INFO: A new CRL has been issued.


REVOKE CERTIFICATES

  • check serial number of user certificate you want to revoke

# show crypto ca server cert-db username adrianda


Username: adrianda
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 09:39:50 UTC Wed Feb 6 2013
Certificates Issued:
serial: 0x2
issued: 09:39:50 UTC Sun Jan 27 2013
expired: 09:39:50 UTC Mon Jan 27 2014
status: Not Revoked

in out case we want to revoke certificate number 0x2

  • revoke certificate

#crypto ca server revoke 0x2

INFO: Successfully revoked certificate with serial 0x2

All serials are hex format!
  • check adrianda certificate status

# sh crypto ca server cert-db username adrianda
Username: adrianda
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 09:39:50 UTC Wed Feb 6 2013
Certificates Issued:
serial: 0x2
issued: 09:39:50 UTC Sun Jan 27 2013
expired: 09:39:50 UTC Mon Jan 27 2014
status: Revoked at 10:17:28 UTC Sun Jan 27 2013

  • check CRL if list has been updated

# sh crypto ca server crl


Certificate Revocation List:
Issuer: c=PL,cn=DANPOL-ASA-CA,ea=user@domain,l=KATOWICE,ou=IT,o=DANPOL,st=SILESIA,sn=Adrian Danek
This Update: 10:17:29 UTC Jan 27 2013
Next Update: 14:17:29 UTC Jan 31 2013
Number of CRL entries: 1
CRL size: 513 bytes
Revoked Certificates:
Serial Number: 0x02
Revocation Date: 10:17:28 UTC Jan 27 2013

based on output our CRL list has changed and shows certificate number 0x2 is revoked.

 

UNREVOKING/RESTORING CERTIFICATES

  • unrevoke certificate

# crypto ca server unrevoke 0x2

INFO: Successfully unrevoked certificate with serial 0x2

  • check adrianda certificate status

 # sh crypto ca server cert-db username adrianda

Username: adrianda
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 09:39:50 UTC Wed Feb 6 2013
Certificates Issued:
serial: 0x2
issued: 09:39:50 UTC Sun Jan 27 2013
expired: 09:39:50 UTC Mon Jan 27 2014
status: Not Revoked

  • check crl list(just to be sure)

# sh crypto ca server crl


Certificate Revocation List:
Issuer: c=PL,cn=DANPOL-ASA-CA,ea=user@domain,l=KATOWICE,ou=IT,o=DANPOL,st=SILESIA,sn=Adrian Danek
This Update: 10:25:21 UTC Jan 27 2013
Next Update: 14:25:21 UTC Jan 31 2013
Number of CRL entries: 0
CRL size: 491 bytes

Based on output certificate 0x2 has been succesfully unrevoked.


CERTIFICATE RENEWAL

Asa will allow to renew certificate to user on condition current certificate is valid and expire date is within renewal period.

Be default it is happen automatically so if you do not want allow to renew certificate you have to remove user from database.


 DELETING CA SERVER

 

  •  remove local CA server
(config)#no crypto ca server
(config)#clear configure crypto ca server

(config)# delete flash:LOCAL-CA-SERVER

 

USEFUL COMMANDS

#show crypto ca server

show ca server configuration and status

#show crypto ca server cert-db

show all issued certificates

#show crypto ca server user-db

show users and their status.Possible options:

allowed, enrolled, expired,on-hold

 

 dzbanek 2013-01-26

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.