Digital certificates provide digital identification for authenticating devices and individual users. A digital certificate includes information that identifies a device or user, such as the name, serial number, company, department, or IP address. A digital certificate also includes a copy of the public key for the user or device. For more information on digital certificates, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.
Certificate Authorities (CAs) are trusted authorities that “sign” certificates to verify their authenticity, thereby guaranteeing the identity of the device or user. CAs also issue identity certificates.
- Identity Certificate — Identity certificates are certificates for specific systems or hosts. You can generate these yourself using the OpenSSL toolkit or get them from a Certificate Authority. You can also generate a self-signed certificate. CAs issue identity certificates, which are certificates for specific systems or hosts.
- Trusted CA Certificate — Trusted CA certificates are certificates that the system can use to sign other certificates. These certificates differ from internal identity certificates with respect to the basic constraints extension and the CA flag, which are enabled for CA certificates but disabled for identity certificates. A trusted CA certificate is self-signed and called a root certificate.
The Remote Access VPN uses digital certificates for authenticating secure gateways and AnyConnect clients (endpoints) to establish a secure VPN connection. For more information, see Remote Access VPN Certificate-Based Authentication.
Guidelines for Certificate Installation
Read the following guidelines for certificate installation on ASA:
- Certificate can be installed on a single or multiple ASA devices simultaneously.
- Only one certificate can be installed at a time.
- Certificate can be installed only on a live ASA device and not on a modal device.
- Certificate can't be installed on Secure Firewall Cloud Native devices.
ASA Certificate Installation
You must upload the digital certificates as trustpoint objects and install them on the ASA devices managed by CDO.
Prerequisite: Ensure that the ASA device has no out-of-band changes, and all staged changes have been deployed.
The following lists the digital certificates and formats supported by CDO:
- Identity Certificate can be installed using the following methods:
- PKCS12 file import. See Installing an Identity Certificate Using PKCS12.
- Self-Signed certificate. See Installing a Certificate Using Self-Signed Enrollment.
- Certificate Signing Request (CSR) import. See Managing a Certificate Signing Request (CSR).
- Trusted CA Certificate can be installed using PEM or DER format. See Installing Trusted CA Certificate in ASA.
The following screencast demonstrates the steps for installing certificates on ASA using CDO. It also shows steps for modifying, exporting, and deleting installed certificates.
Supported Certificate Formats
- PKCS12: PKCS#12, P12, or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12.
- PEM: PEM (originally “Privacy Enhanced Mail”) files contain ASCII (or Base64) encoding data and the certificate files can be in .pem, .crt, .cer, or .key formats. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.
- DER: DER (Distinguished Encoding Rules) format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der, but it often has a file extension of .cer, so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----.
After onboarding the ASA device into CDO, on the Devices & Services tab, select the ASA device and in the Management pane on the left, click Trustpoints.
In the Trustpoints tab, you'll see the certificates that are already installed on the device.
- The "Installed" status indicates that the corresponding certificate is installed successfully on the device.
- The "Unknown" status indicates that the corresponding certificate doesn't contain any information. You need to remove and upload it again with the correct details. CDO discovers all the unknown certificates as trusted CA certificates.
- Click the row that shows "Installed" to view certificate details on the right pane. Click more to see additional details of the selected certificate.
- An installed Identity Certificate can be exported in PKCS12 or PEM format and imported into other ASA devices. See Exporting an Identity Certificate.
- Only the advanced settings can be modified on an installed certificate.
- Click Edit to modify the advanced settings.
- After making the changes, click Send to install the updated certificate.