Wednesday, 5 October 2016

installing certificates on the cisco ASA

Wildcard cert

GoDaddy steps
What you need
  • Purchased wildcard cert
  • Login details for godaddy site
  • Access to public DNS provider to create URLs and TXT record
  • Access to ASA/ASDM
  • Access to domain controller/server where you can install openssl
Saving the private key
When setting up a new wildcard godaddy gives you the option to save the CSR and the private key. You should save these. Client might have created it already. You can look on the domain controller or email server for it and see if you can export it from mmc -> certificates snap in. If it can't be found or lost you can rekey the cert, contact godaddy for steps. I believe the rekey can cause issues if the cert is already installed somewhere as now the private key won't match. Try to avoid this.
DNS provider
You need to verify a wildcard with a DNS TXT record, need to contact DNS provider. Godaddy provide instructions.
You can check the TXT records here https://dnslookup.online/txt.html
Once the set is setup you can download the zip file. Choose the "other" option
You may need to get "vpn.domain.ie" pointing to public IP of ASA
Create combined PKCS12 / PFX file with Openssl
Now use openssl to bundle private key + wildcard cert into one file with a password.
You may need to install openssl (http://gnuwin32.sourceforge.net/summary.html)
Openssl command:
pkcs12 -export -inkey MY_PRIV_KEY.key -in WILDCARD_CERT.crt -out STAR_DOMAIN_COMBINED.p12
You will be asked for password here, save this password.
Good idea to install the PFX on the customer domain controller for safe keeping. 
Install as exportable
Choose the computer account
Choose the  personal cert store. 
You can find the cert later in start -> run -> mmc -> add certs snap-in.
ASA install
Now install the STAR_DOMAIN_COMBINED.p12 on cisco ASDM.
ASDM -> Configuration -> Certificate Management -> CA Certificates -> Add -> CA cert (from zip file downloaded from godaddy)
Now click on Identity Certs -> Add  
Choose "Import the identity cert from a file (PKCS12)
Enter the password you entered at the openssl step
Select the STAR_DOMAIN_COMBINED.p12
Click "Add certificate"
Apply to interface. 
Configuration -> Advanced -> SSL settings
Click on outside interface -> Edit button and select cert
Testing
Go to your anyconnect URL. 
Confirm the cert is setup with chome -> developer tools -> security or this one:
https://www.sslshopper.com/ssl-checker.html



This is the process of installing a wildcard cert if you have one:
https://www.tunnelsup.com/adding-a-wildcard-ssl-certificate-to-a-cisco-asa/

Get the following
The password used to export the certs (If password not setup – you can generate this by using OPENSSL app)
The certificate private key (pfx) file (in pem format)
The wildcard certificate (in pem format)
The intermediary certificate (in pem format)

Customer should have access to their Trusted root CA portal where you can download most files. The customer should have the private key (pfx) file and the password for it. The trusted root CA does not hold that. Its generated when the cert is used for the first time.

In the past we have found the customer import the private key onto a webserver but didn't save the private key. We were able to export the private key from the web server. Had to open mmc add certificate snap-in and add for the computer account.

Download and install win32/63 openssl to convert your cert into the correct format.
See https://support.citrix.com/article/CTX136444

Use openssl to create the pkcs12 file. This is done by bundling the private key + the wildcard cert.

Openssl command:
pkcs12 -export -inkey MY_PRIV_KEY.key -in WILDCARD_CERT.crt -out STAR_DOMAIN_COMBINED.p12

openssl pkcs12 -export -in CERT.crt -inkey PKEY.key -certfile sf_bundle-g2-g1.crt -out BUNDLE.pfx 

Make sure to save the password you enter. Now this file can be imported into ASDM.

Can be done here https://www.sslshopper.com/ssl-converter.html
However its advised you don't upload your certs to a third party use openssl on your own PC

If you have an old/expired wildcard cert you can remove it now, otherwise you might get an error when trying to assign the new one to an interface.

Add the CA cert (pem - plain text BEGIN CERT etc)
Configuration > Device Management > Certificate Management > CA Certificates
Add the pkcs12 cert (pfx) with password
Configuration > Device Management > Certificate Management > Ident Certificates
Assign the cert to the interface (advanced -> SSL)
Configuration > Device Management > Advanced > SSL

This is the process of creating an ident cert and getting it signed by your CA, they send you a signed cert that you can install.
https://www.tunnelsup.com/adding-an-ssl-certificate-on-an-asa/

Ident certs
Create ident cert (config -> Firewall -> Advanced -> Certificate management -> Ident cert)
Add new (create a new key pair if you need to)
Click select button and fill in the details
In this example the url I have bought the cert for is is remote.domain.ie
subject-name CN=remote.domain.ie,OU=IT,O=Customer,C=IE,St=Leinster,L=Dublin
Export cert and send to CA
CA sends back signed cert
Install signed cert
Apply to interface.


After installing
Export the cert + key from ASDM and install the .pfx in their windows server so they don't lose it. Don't forget to record password.
 
More on certs

.csr
This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.

.pem
Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
.key This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.

.pkcs12 .pfx .p12
Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes
A few other formats that show up from time to time:

.der
A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...

.cert .cer .crt
A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

.p7b
Defined in RFC 2315, this is a format used by windows for certificate interchange. Java understands these natively. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.

.p7s
Looks like this one is used for signing emails

.crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.
In summary, there are four different ways to present certificates and their components:

PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)

PKCS7 An open standard used by Java and supported by Windows. Does not contain private key material.

PKCS12 A private standard that provides enhanced security versus the plain-text PEM format. This can contain private key material. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.

DER The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.

x509 (can be .pfx and .der .cer .crt)
Usually in some directory like C:\webserver\apache\cert
Drop in the new server.crt (just cert file)
Drop in server.key (psk) in the same directory 
Restart webserver

MII means base64 encoded you will often see this with x509 certs

No comments:

Post a Comment