Renewing Cisco ASA identity certificate

Let’s say that we use certificates for authenticating our VPN connections. It does not matter if they are traditional Cisco IPSec or new AnyConnect clients. If we did not set our PKI infrastructure and ASA for auto enroll, what is going to happen eventually is we will start receiving calls from our users that are unable to authenticate any more. One possibility is that the ASAs identity certificate has expired. Like this:

ASA1/pri/act#
ASA1/pri/act# show crypto ca certificate popravak-FS1-1
Certificate
Status: Available
Certificate Serial Number: 6d2e8b63000000000103
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=popravak-FS1-1-CA
dc=popravak
dc=com
Subject Name:
cn=ASA1.popravak.com
ou=IT
o=Popravak Co
l=Bijeljina
st=RS
c=BA
CRL Distribution Points:
[1]  http://fs1-1.popravak.com/CertEnroll/popravak-FS1-1-CA.crl
[2]  file://FS1-1.popravak.com/CertEnroll/popravak-FS1-1-CA.crl
Validity Date:
start date: 09:42:03 CET Aug 3 2012
end   date: 09:52:03 CET Aug 3 2013
Associated Trustpoints: popravak-FS1-1

ASA1/pri/act#

We can see from above output that the identity certificate has expired on August the 3rd. Just for the reference, today is August the 5th.

Renewing this certificate is an easy task:

ASABN1/pri/act(config)#
ASABN1/pri/act(config)# crypto ca enroll popravak-FS1-1
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=ASA1.popravak.com, OU=IT, O=Popravak Co, C=BA, ST=RS, L=Bijeljina

% The fully-qualified domain name in the certificate will be: ASA1.popravak.com

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
—–BEGIN CERTIFICATE REQUEST—–
MIICGTCCAYICAQAwgZYxEjAQBgNVBAcTCUJpamVsamluYTELMAkGA1UECBMCUlMx
CzAJBgNVBAYTAkJBMRYwFAYDVQQKEw1Ob3ZhIGJhbmthIEFEMQswCQYDVQQLEwJJ
VDEcMBoGA1UEAxMTQVNBRkQubm92YWJhbmthLmNvbTEjMCEGCSqGSIb3DQEJAhYU
QVNBQk4xLm5vdmFiYW5rYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ANLtDH40M3pXGYa5CT6SNcdRtzpxzZsGqeWKMda2TYhCu9MI3mdf2zbXDfPrA06n
CYDCwK2GELuhUhtcf+ysY8kpIeO41iWIeK1pbx+0ysIJKJaEFwJzvA4YHOFA35Fu
sRZFJZnm97LmzszvHPes8BOPfkZ70mUzpLbG2Ec2VCypAgMBAAGgQjBABgkqhkiG
9w0BCQ4xMzAxMA4GA1UdDwEB/wQEAwIFoDAfBgNVHREEGDAWghRBU0FCTjEubm92
YWJhbmthLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCJVNtsBp0uLOdbiEQQQKSzvDgn
bDTD2un/ukyw93yOfWfujgUqpH7zd3MxAoGk6KiJcwrqIW5bk8hOgIsljlUiy7kS
32+sKAmddyZDz4HWVfAyxEmqyvjNCjFpReLsqodAPE04b1dssG4qctSgb879wJ97
F6T0a8lAcWtfwJ4S4w==
—–END CERTIFICATE REQUEST—–

Redisplay enrollment request? [yes/no]: no
ASA1/pri/act(config)#

So we issued the “crypto ca enroll popravak-FS1-1” command. We don’t need to authenticate to this trust point again, because we did that when we first created this trust point. We only need to enroll again. Then the certificate request is displayed. We copy all text from the line that begins with “—–BEGIN CERTIFICATE REQUEST—–” and ends with “—–END CERTIFICATE REQUEST—–” including those lines.

Then we need to send this request to our CA and once the certificate is reissued, we need to import it in the ASA:

ASA1/pri/act(config)#
ASA1/pri/act(config)# crypto ca import popravak-FS1-1 certificate

% The fully-qualified domain name in the certificate will be: ASA1.popravak.com

Enter the base 64 encoded certificate.
End with the word “quit” on a line by itself

—–BEGIN CERTIFICATE—–
MIIElTCCA32gAwIBAgIKfL9cowAAAAABbTANBgkqhkiG9w0BAQUFADBNMRMwEQYK
CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbm92YWJhbmthMRswGQYD
VQQDExJub3ZhYmFua2EtRlMxLTEtQ0EwHhcNMTMwODA1MDYzNDU1WhcNMTMxMjA5
MTQyNzU5WjBxMQswCQYDVQQGEwJCQTELMAkGA1UECBMCUlMxEjAQBgNVBAcTCUJp
amVsamluYTEWMBQGA1UEChMNTm92YSBiYW5rYSBBRDELMAkGA1UECxMCSVQxHDAa
BgNVBAMTE0FTQUZELm5vdmFiYW5rYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANLtDH40M3pXGYa5CT6SNcdRtzpxzZsGqeWKMda2TYhCu9MI3mdf2zbX
DfPrA06nCYDCwK2GELuhUhtcf+ysY8kpIeO41iWIeK1pbx+0ysIJKJaEFwJzvA4Y
HOFA35FusRZFJZnm97LmzszvHPes8BOPfkZ70mUzpLbG2Ec2VCypAgMBAAGjggHV
MIIB0TAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0RBBgwFoIUQVNBQk4xLm5vdmFiYW5r
YS5jb20wHQYDVR0OBBYEFFgmqXhN8n/M1dDLczY6gIYsatpWMB8GA1UdIwQYMBaA
FGVyXvxqdAGTn9t8adlWNw3aGxkFMIGOBgNVHR8EgYYwgYMwgYCgfqB8hjxodHRw
Oi8vZnMxLTEubm92YWJhbmthLmNvbS9DZXJ0RW5yb2xsL25vdmFiYW5rYS1GUzEt
MS1DQS5jcmyGPGZpbGU6Ly9GUzEtMS5ub3ZhYmFua2EuY29tL0NlcnRFbnJvbGwv
bm92YWJhbmthLUZTMS0xLUNBLmNybDCBzAYIKwYBBQUHAQEEgb8wgbwwXAYIKwYB
BQUHMAKGUGh0dHA6Ly9mczEtMS5ub3ZhYmFua2EuY29tL0NlcnRFbnJvbGwvRlMx
LTEubm92YWJhbmthLmNvbV9ub3ZhYmFua2EtRlMxLTEtQ0EuY3J0MFwGCCsGAQUF
BzAChlBmaWxlOi8vRlMxLTEubm92YWJhbmthLmNvbS9DZXJ0RW5yb2xsL0ZTMS0x
Lm5vdmFiYW5rYS5jb21fbm92YWJhbmthLUZTMS0xLUNBLmNydDANBgkqhkiG9w0B
AQUFAAOCAQEAHCwWhmTMBtvt3rPqO2sjhYDSvnSX01DUvFLXnz9RLM6gq5bXQ4hU
xks2i2r/Raj2mhPDXuV2yVz9AKCJ8KLbuK4tkMFXKpfxB6BeTDCpZVIMCk2aphlm
juVcqIZ9l3G5O8rxPBQ5RK+rhCxCvnJrMhGUEDexssiCLHB1rIsV452SRHnnbkmo
gYFJ6/+AOPVsLUW1KTCJEdgznqd8b2addfiAVbiEk2J/5FN0B1ip2h1cAYFld3wr
DFm3j/LWTsYvuEFpvRNTRfwuHKK2A+i9TPepzxeqphc6/H8JR8La9faXT2LmzeJj
1f7o0r351dLQETqk1G/L6nZOm3clbrrJFw==
—–END CERTIFICATE—–
quit
INFO: Certificate successfully imported
ASA1/pri/act(config)#

So we issued the “crypto ca import popravak-FS1-1 certificate” command. Then we opened the issued certificate in a text editor, copied all of its contents and pasted it into the console. It is important to type “quit” in the separate line and hit the <ENTER> key. Let’s now check the certificate:

ASA1/pri/act#
ASA1/pri/act# show crypto ca certificate popravak-FS1-1
Certificate
Status: Available
Certificate Serial Number: 7cbf5ca300000000016d
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=popravak-FS1-1-CA
dc=popravak
dc=com
Subject Name:
cn=ASA1.popravak.com
ou=IT
o=Popravak Co
l=Bijeljina
st=RS
c=BA
CRL Distribution Points:
[1]  http://fs1-1.popravak.com/CertEnroll/popravak-FS1-1-CA.crl
[2]  file://FS1-1.popravak.com/CertEnroll/popravak-FS1-1-CA.crl
Validity Date:
start date: 08:34:55 CET Aug 5 2013
end   date: 15:27:59 CET Dec 9 2013
Associated Trustpoints: popravak-FS1-1

We can now see that the validity of the certificate is until December the 9th. Wait a sec, this is less than six months? Good observation 🙂 This is because by that time the CA certificate will also expire and will need to be renewed.

More about requesting and issuing certificates can be found in this previous blog post.

 

Thanks for reading.

Advertisements
This entry was posted in ASA, Certificates, PKI, VPN and tagged , , , . Bookmark the permalink.

3 Responses to Renewing Cisco ASA identity certificate

  1. Raju says:

    Good one. Thank you

  2. Joe says:

    Hi,

    Thanks for this, it’s really helpful.

    Quick question – So, once the ASA is updated with the new certificate from the CA, will that same certificate need to be rolled out to the users wishing to connect via AnyConnect?
    Assuming that AnyConnect is currently working fine for them – however they have received notification that their certificate is due to expire soon.

    Joe

    We have a way of rolling out cirtificates to users so I guess my question is, once we’ve updated the ASA as shown above, will sending that same cirtificates to the users laptops enable them to connect from then on

    • Sasa says:

      In this tutorial we renewed only the ASA certificate and this setup is for a scenario on which the ASA is authenticated by the clients using the certificate. If this is your scenario, then clients will be able to connect back to the ASA once the certificate is reissued. The same principle applies to the other side: if your clients are renewed with the new certificates and the ASA authenticate them using those certificates, then all should work. This is not covered in this tutorial though.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s