Installing a Wildcard Cert on ASA 5500

Similar Messages

• Wildcard SSL Cert on ASA 5500

  What do I need to do on the ASA 5520 to be able to use a wildcard SSL cert?  I'm running 8.2.5 code.

  Make sure you get the cert in pkcs12 format and no fqdn. Other than that, just follow the config guide.
  Sent from Cisco Technical Support Android App

• Installing wildcard cert on ISE for HTTP/EAP

  I need to install a wildcard cert on ISE, but have no experience with wildcards.  I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion.  Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert?  I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...
  Any assistance would be greatly appreciated

  If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:
  1. Go to Administration > Certificates > Local Certificates >  Add > Import Server Certificate
  2. Use the "browse" buttons to point to the certificate file and private key
  3. Check "Allow Wildcard Certificates"
  4. Select the protocol that you want to use it for (EAP or HTTPS or both)
  5. Hit submit
  6. Go to Certificates Store
  7. Import the root CA certificate and Intermediate CA certificate(s) (If any)
  Thank you for rating helpful posts!

• Wildcard SSL cert on ASA

  Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?

  Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.
  If you need help with configuration, let me know.
  You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)
  Regards,
  Roman

• ISE 1.2 and WildCard Cert

  hello,
  i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.
  http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise
  but there is something that was not answered by his post.
  Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node
  create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.
  Any input would be appreciated

  Basant,
  I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.
  I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.
  Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html
  Tarik Admani
  *Please rate helpful posts*

• Can't install a wildcard SSL certificate

  Running ML Server. I have a GoDaddy issued wildcard SSL certificate to *.mydomain.com. The certificate is currently installed on a different (non-Mac OS) server. I am able to cut and paste the main certificate, private key and other chain certificates from that server's interface and paste into a text file using TextWrangler. On the OS X server I deleted all of the old certificates in KeyChain (this server had an old wildcard version of the certificate before), deleted the old wildcard cert in Server.app and deleted the corresponding files in /etc/certificates
  I then created a new self-signed certificate for *.mydomain.com in Server.app, then selected it, went to Manage Certificates and tried up update the self-signed certifcate with the signed certificate using the Server.app interface. The interface enables you to drag and drop certifcate and chain files to add.
  However, this is where it gets strange...
  The first time I drag the certificate file to the interface, I get the green + symbol, let go and nothing happens. If I do it again, the interface lights up green again, but this time it adds it to the Non-identify certificate list. I am able to replicate this every time!
  Why does the interface show me the first time that I can drag the file, but does nothing, and then the second time adds it as a non-identity certificate? Same behavior happens if I start with the chain certificate as well.
  I can confirm that the four certificate files show up in /etc/certificates, but they appear to be generated by the self-signed certificate creation.
  Any insights appreciated! TAA

  In fact i had the same issue last week and i could only solve it by exporting the key with the certificate in a PCKS12 file. Fortunately this is supported by the windows certificate manager where the certificate was originally installed.
  You could take your key and certificate files and merge them into a PKCS12 file using openssl (go to terminal, it is installed on an OSX box) and fire the following command (and change the filenames ;-)):
  openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt
  The openssl tool requests a passphrase for the created file that you will need to provide again when the key is imported into the keychain.
  Good luck with it

• SSL cert on ASA 5512 from Thwate or Digitcert

  I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon 
  Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA -  install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
  Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2   etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
  here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
  Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed 

  First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
  When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
  If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
  Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

• Wildcard Cert - only have .cer

  Hi all,
  I'm looking for information on how to install a wildcard certificate with only the .cer file.  I've found quite a few things here in the forums, but everyone seems to also have a pkcs12 file, which I do not.  Any specific help would be appreciated.
  This is an ASA 5510 on ver 8.4. 
  Thanks!

  Thanks for the suggestions.  I just got off the phone with Cisco support.  They're telling me there is no way for me to use my pre-existing star certificate because it wasn't generated from the ASA.  I would need to know the keypair and the trustpoint from whence it was generated and since I don't have that information it's not going to work.  They told me there is no workaround, but I have doubts. 
  Anyway, we're just going to purchase a new normal certification, because it's been too much of a headache dealing with what we already have.  Thanks for your help.
  Lauren

• How we archieve configuration for Cisco ASA 5500 series appliances

  Hi,
  We need to archieve configuration for Cisco ASA 5500 series appliances.
  We have Cisco works LMS 3.0.1.
  Device package installed is 4.2
  Any help would be appricated.
  Thanks in advance.
  Samir

  Hi ,
  Thanks for your answer.
  Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
  Cisoworks. Am I correct ?
  Waiting for your reply.
  thanks,
  Samir

• 7925g plus EAP-TLS plus wildcard cert

  Hi folks,
   Has anyone managed to put a wildcard cert on a 7925G (or 9971) to use for client authentication with EAP-TLS?  It seems like one is forced to use the MIC or a cert from a csr generated by the phone... but I'd really rather not keep track of a zillion certs.
  Thanks for any help.

  Hi,
  have you read the infos from the deployment guide (page 72 - install certificates) already
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

• VPN between ASA 5500 and Cisco 871

  Hello.
  I recently bought a Cisco 871 and an ASA 5500 device. I would like to configure a VPN connection (LAN-to-LAN), and I would like some help about the ports that need to be opened into both firewalls, ASA and 871.
  Thank you.

  Thank you. The routers where not syncronized.
  I have installed on my CA server also an NTP server and everything works now.
  I have one more question: how can I connect the CA server to separate zone on my ASA device? Let's say a DMZ zone?
  I have 2 public IPs and I want to use one (let's say PRIMARY_IP) for the VPN tunnels, and the other one (let's call it SECONDARY_IP) for the CA server...In other words I want the SECONDARY_IP to be ?assigned? to the CA server; if someone wants to make requests for NTP, or SCEP, or ...let's say TFTP to the SECONDARY_IP, those requests to be forwarded behind the ASA, to the CA.
  Can you help me?

• Installing a Wildcard Certificate in STRUST

  Hi,
  I am trying to install a wildcard SSL certificate using STRUST on our ABAP system.
  If I try to import it using the "Import Cert. Response" button, I get an error message saying the certificate cannot be installed. I presume this is because my private key does not match the public key of the certificate.
  How can I get a wildcard certificate working with my ABAP system? Do I need to somehow change the private key of my system?
  Thanks in advance

  Hi Stuart,
  Please check below thread it may help in your case.
  Problem importing a certificate using Strust
  https://scn.sap.com/thread/1587251
  BR
  Atul

• How to configure Cisco ASA 5500 to work with the iPhone

  We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
  http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
  We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
  After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
  Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
  I noticed that many people are having these problems.
  Please do not post to this topic if you have ANY OTHER Cisco device.
  Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
  Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
  It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
  Thank you!
  Oleg R

  We found the solution and a bug in Cisco firmware (seems to be a bug).
  First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
  access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
  access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set iphone esp-3des esp-sha-hmac
  crypto ipsec transform-set iphone mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
  crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
  crypto map outside_map 10 match address vpn
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 20
   authentication pre-share
   encryption aes-256
   hash sha
   group 5
   lifetime 86400
  crypto isakmp nat-traversal 20
  group-policy iphone internal
  group-policy iphone attributes
   wins-server value <insert ip> <insert ip>
   dns-server value <insert ip> <insert ip>
   vpn-tunnel-protocol IPSec
   ipsec-udp enable
   ipsec-udp-port 10000
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value iphone_splitTunnelAcl
   default-domain value <insert domain name>
  tunnel-group iphone type remote-access
  tunnel-group iphone general-attributes
   address-pool VPN-Pool
   authentication-server-group ActiveDirectory2
   default-group-policy iphone
  tunnel-group iphone ipsec-attributes
   pre-shared-key <insert pre-shared key>
  For iPhone you have to be using IPSec tab for configuration.
  We tried to set up this config using the wizards, but it would not work.
  Later it turned out that wizards by default set this setting:
  "crypto isakmp nat-traversal 20"
  equal to zero and there is no way to change it from the GUI.
  Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
  Please let me know how it works out for you.
  Message was edited by: Rogik
  Message was edited by: Rogik

• Cannot ping inside IP behind sonicwall from Cisco ASA 5500

  I have a sonicwall at site B and the cisco asa5500 at the main office. (site A)
  The site to site VPN is working, but I can not ping the inside ip (10.1.5.2) of the sonic wall from Site A. I need this only to access the computers behind the sonicwall for remote desktop and dameware.
  I have another office that also has a sonicwall (same config)  and I can ping that inside IP from Site A.
  I can not see why I can ping one site and not the other.
  What needs to be configured on the ASA 5500 to be able to ping inside the sonicwall at site B?
  I prefer the wizard over the CLI.
  Thanks,

  Hi
  AFAIK No you can not make vpn, transparent and routing in the same unit.
  I would not want the DMZ and the outside interface to have overlapping ip address ranges.
  logging and trying to keep track of it all would be way to confusing for me.
  so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
  The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
  This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
  Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
  Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
  With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
  good luck
  HTH

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.