none
Configure Cisco ASA - Microsoft CA Certificates

    Question

  • Hi All,

     we have a cisco ASA and a windows 2008 r2 certificate authority.  We require our cisco vpn client users to have a user certificate installed on their remote PCs to authenticate with the cisco. ASA.

    How do we setup High Availability for my CA? Our CAis running on our DC will that cause any issues?

    Currently use this CA for Exchange. 

    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100413-asavpnclient-ca.html

    AS

    Wednesday, July 09, 2014 4:12 AM

Answers

  • Installing a CA on a DC is strongly discouraged, probably not even supported by Microsoft. Here is a related thread. Basically, doing OS updates, backups, DC promotion/demotion gets messy and difficult. There are numerous other threads on these forums describing weird issues that most likely have been due to the CA having been installed on a DC.

    As for high availability: You can cluster a CA bit as far as I know this is only supported if you use hardware security modules ... probably an overkill here (and it would definitely not work with DCs of course).

    The critical part of the service is the publication of revocation lists. Especially with CISCO devices I would recommend the following as ASA supports the configuration of CRL cache time:

    • Configure CRL validity period in a way that gives you enough time to resolve issues, restore the machine in case (again - an argument against DCs... you would not want to restore a DC and AD just because you restore a CA...).
    • Publish CRLs frequently with enough overlap, such as: Publish them every day but with a life time of a week.
    • Configure ASA to purge the CRLs more frequently then they would be purged based on their life times... e.g. purge them every few hours.
    • Make the web servers hosting the CRLs high-available by NLB or a hardware load-balancer (This web server should not be the CA itself but a dedicated web server).
    • If you use OCSP make OCSP high available and use an array.

    Elke


    • Edited by Elke Stangl Wednesday, July 09, 2014 6:26 AM Added link to discussion about CA on a DC
    • Marked as answer by Amy Wang_Moderator Tuesday, July 15, 2014 3:08 AM
    Wednesday, July 09, 2014 6:17 AM

All replies

  • Installing a CA on a DC is strongly discouraged, probably not even supported by Microsoft. Here is a related thread. Basically, doing OS updates, backups, DC promotion/demotion gets messy and difficult. There are numerous other threads on these forums describing weird issues that most likely have been due to the CA having been installed on a DC.

    As for high availability: You can cluster a CA bit as far as I know this is only supported if you use hardware security modules ... probably an overkill here (and it would definitely not work with DCs of course).

    The critical part of the service is the publication of revocation lists. Especially with CISCO devices I would recommend the following as ASA supports the configuration of CRL cache time:

    • Configure CRL validity period in a way that gives you enough time to resolve issues, restore the machine in case (again - an argument against DCs... you would not want to restore a DC and AD just because you restore a CA...).
    • Publish CRLs frequently with enough overlap, such as: Publish them every day but with a life time of a week.
    • Configure ASA to purge the CRLs more frequently then they would be purged based on their life times... e.g. purge them every few hours.
    • Make the web servers hosting the CRLs high-available by NLB or a hardware load-balancer (This web server should not be the CA itself but a dedicated web server).
    • If you use OCSP make OCSP high available and use an array.

    Elke


    • Edited by Elke Stangl Wednesday, July 09, 2014 6:26 AM Added link to discussion about CA on a DC
    • Marked as answer by Amy Wang_Moderator Tuesday, July 15, 2014 3:08 AM
    Wednesday, July 09, 2014 6:17 AM
  • Hi,

    Do you need further assistance on this issue by now?

    If yes, please feel free to let us know.

    Have a nice day!

    Amy
    Tuesday, July 15, 2014 3:09 AM
  • Hi Elke,

       Do i use web server template or ipsec from my CA? How do i push to Laptops? Which certificate( user) ?

    As

     

    Monday, July 21, 2014 10:31 PM
  • If I recall the ASA configuration options correctly (I might not use proper CISCO technology) it might need both:

    • For VPN you need an IPsec certificate.
    • For SSL access for management you could issue an additional (optional) SSL certificate. I think this one is called Identity Certificate.

    The CISCO client could either use user or machine certificates - depends on the client config. But as you said you plan to use certificates for users:

    Go for a copy of the template Authenticated Session.

    This is a simple SSL Client Auth certificate.(*)

    Don't use User as this also has the EKUs for EFS and Secure E-Mail (unless you want your users to use those services and you are prepared for the related recovery procedures).

    You would use Autoenrollment to push the certificate to users:

    • Give users Enroll and Autoenroll permission on the template (start with a pilot group!)
    • Allow for Autoenrollment via a Group Policy.

    Details here.

    (*) Edit: According to my experience no IKE EKU is expected in the client cert. - but I can't guarantee this or the latest version.


    Monday, July 21, 2014 11:29 PM