Digital certificates can be used to authenticate network devices and users on the network. They can be used to negotiate IPSec sessions between network nodes.
Cisco devices identify themselves securely on a network in three main ways:
Pre-Shared Keys. Two or more devices can have the same shared secret key. Peers authenticate each other by computing and sending a keyed hash of data that includes the preshared key. If the receiving peer is able to create the same hash independently using its preshared key, it knows that both peers must share the same secret, thus authenticating the other peer. This method is manual and not very scalable.
Self-Signed Certificates. A device generates its own certificate and signs it as being valid. This type of certificate should have limited usage. Using this certificate with SSH and HTTPS access for configuration purposes are good examples. A separate username/password pair is needed to complete the connection.
Note: Persistent Self-Signed Certificates survive router reloads because they are saved in the nonvolatile random-access memory (NVRAM) of the device. Refer to Persistent Self-Signed Certificates for more information. One good example of use is with SSL VPN (WebVPN) connections.
Certificate Authority Certificate. A third party validates and authenticates the two or more nodes that attempt to communicate. Each node has a public and private key. The public key encrypts data, and the private key decrypts data. Because they have obtained their certificates from the same source, they can be assured of their respective identities. The ASA device can obtain a digital certificate from a third-party with a manual enrollment method or an automatic enrollment method.
Note: The enrollment method and type of digital certificate you choose is dependent upon the
features and functions of each third-party product. Contact the vendor of the certificate service for more information.
The Cisco Adaptive Security Appliance (ASA) can use pre-shared keys or digital certificates provided by a third-party Certificate Authority (CA) to authenticate IPSec connections. In addition, the ASA can produce its own self-signed digital certificate. This should be used for SSH, HTTPS, and Cisco Adaptive Security Device Manager (ASDM) connections to the device.
This document demonstrates the procedures necessary to automatically obtain a digital certificate from a Microsoft Certificate Authority (CA) for the ASA. It does not include the manual method of enrollment. This document uses ASDM for the configuration steps, as well as presents the final command-line interface (CLI ) configuration.
Ensure that you meet these requirements before you attempt this configuration:
Requirements for the ASA device
Configure the Microsoft ® Windows 2003 Server as a CA.
Refer to your Microsoft documentation or to Public Key Infrastructure for Windows Server 2003
In order to allow the Cisco ASA or PIX Version 7.x to be configured by the Adaptive Security Device Manager (ASDM), refer to Allowing HTTPS Access for ASDM .
Install the Add-on for Certificate Services (mscep.dll).
Obtain the executable file (cepsetup.exe) for the Add-on from the Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services
or the mscep.dll file from the Windows Server 2003 Resource Kit Tools
Note: Configure the correct date, time, and time zone on the Microsoft Windows machine. The use of the Network Time Protocol (NTP) is highly recommended but not necessary.
The information in this document is based on these software and hardware versions: