Skip to main content

 

 

Cisco Defense Orchestrator

Verifying Device Certificate Prerequisites for Onboarding an ASA

You can either use ASA Command Line Interface (CLI) commands or Adaptive Security Device Manager (ASDM) to verifyg the device certificate prerequisites that are required for onboarding an ASA. 

In this section, we have described the ASDM steps to verify the device certificate. See ASDM Configuration Guide for more information. 

How to verify the TLS version?

The device uses a TLS version equal to or greater than 1.0.

  1. Log on to the ASA device through the ASDM application.
  2. Click Configuration > Device Management > Advanced > SSL Settings
    The Encryption area on the right shows the ciphers supported by the ASA device. 
How to verify the signature algorithm?

The certificate must be an SHA-256 certificate. 

You can onboard an ASA using device credentials, and the IP address of the device's outside, inside, or management interface, depending on how the device is configured in your network. Make sure that the identity certificate assigned to the interface used for onboarding uses the SHA-256 algorithm. 

To verify the certificate assigned to the interface used for onboarding:

  1. Log on to the ASA device through the ASDM application.
  2. Click Configuration > Device ManagementAdvanced > SSL Settings
  3. In the Certificates area on the right, you can see the name of the certificate associated with the interface used for onboarding.

To verify the certificate algorithm:

  1. Click Configuration > Device Management > Certificate Management > Identity Certificates. 
  2. In the right pane, click the certificate assigned to the interface used for onboarding and then click Show Details.
    In the General tab, the Signature Algorithm shows the algorithm type used in the certificate. The type must be SHA-256 for a successful onboard. SHA1 certificates are not accepted.
How to verify the certificate validity?  

The certificate presented by the device is not expired, and its issuance date is in the past (i.e. it is already valid, not scheduled to become valid at a later date). 

  1. Click Configuration > Device Management > Certificate Management > Identity Certificates. 
  2. In the right pane, click the certificate assigned to the interface used for onboarding and then click Show Details.
    In the General tab, the Valid From and Valid To shows the certificate's validity.
How to verify the certificate's enrollment type? 

The device uses a self-signed certificate, and it is the same as the most recent one trusted by an authorized user.

  1. Click Configuration > Device Management > Certificate Management > Identity Certificates. 
  2. In the right pane, click the certificate assigned to the interface used for onboarding and then click Show Details.
    In the General tab, the Type field shows the certificate enrollment type. The Value for a self-signed certificate shows Self Enrolled.
How to verify the trusted CA's details?

The device uses a certificate signed by a trusted Certificate Authority (CA) and provides a certificate chain linking the presented leaf certificate to the relevant CA.

  1. Click Configuration > Device Management > Certificate Management > CA Certificates. 
  2. In the right pane, click the certificate assigned to the interface used for onboarding and then click Show Details.

 

 

 

 

 

 

  • Was this article helpful?