Cisco ASA Anyconnect Local CA

In previous lessons you learned how to configure the ASA for anyconnect SSL VPN and also how to self-sign certificates on the ASA. In both of these lessons the remote user was authenticating with username and password.

When we configured the ASA to self sign its certificate, we used the ASA as a local CA. The cool thing is that we can also use this feature to create certificates for our users. This allows us to have two-factor authentication for the remote users: username/password + user certificate.

I’m going to assume that you have a working anyconnect SSL VPN configuration, if you don’t…follow the steps in the anyconnect SSL VPN lesson before you continue.

We will use the following topology:

ASA1 Remote User Certificate Authentication

On the left side we have the ASA and on the right side is a remote user that reaches the ASA on its outside interface. The ASA will be configured as a local CA and we will generate two certificates:

  1. User certificate that the user will use for authentication.
  2. ASA certificate so that the user can validate the ASA firewall.

We will start with the configuration of the local CA!


ASA Local CA Configuration

First we will configure the ASA as a local CA:

ASA1(config)# crypto ca server
ASA1(config-ca-server)# smtp from-address LOCAL-CA@NETWORKLESSONS.LOCAL
ASA1(config-ca-server)# subject-name-default CN=ASA1 O=NETWORKLESSONS.LOCAL C=NL
ASA1(config-ca-server)# lifetime ca-certificate 1825
ASA1(config-ca-server)# lifetime certificate 365
ASA1(config-ca-server)# issuer-name CN=ASA1-LOCAL-CA C=NL O=NETWORKLESSONS.LOCAL
ASA1(config-ca-server)# keysize server 2048
ASA1(config-ca-server)# no shutdown

The from address is a required field so I just made up an e-mail address. The lifetime of the root CA is 1825 days (5 years) and when our local CA issues a certificate, it is valid for 365 days ( 1 year).  Once you enable the local CA with no shutdown you will see this:

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: ***********

Re-enter passphrase: ***********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
Certificate Server enabled.

The ASA will ask you to choose a passphrase for the private key. Create a strong passphrase and once it’s done, the certificate server will be up and running. You can see our certificate here:

ASA1# show crypto ca certificates 
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
  Subject Name:
  Validity Date: 
    start date: 14:36:13 UTC Dec 16 2014
    end   date: 14:36:13 UTC Dec 15 2019
  Associated Trustpoints: LOCAL-CA-SERVER 

  Status: Available
  Certificate Serial Number: 370d8754
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
  Subject Name:
  Validity Date: 
    start date: 14:03:52 UTC Dec 10 2014
    end   date: 14:03:52 UTC Dec 7 2024
  Associated Trustpoints: SELF_TRUSTPOINT

You can see the certificate that we created. The trustpoint (that’s where the certificates are stored) is created automatically.

Enroll User Certificate

We can now add a user to the CA database, when you do this the username has to be the same as the common name (CN):

ASA1(config)# crypto ca server user-db add cert_user dn CN=cert_user
INFO: User added as 'cert_user'

The user account “cert_user” has been added. We will allow this user to enroll a certificate by using an OTP (One Time Password). Here’s how we enable this:

ASA1(config)# crypto ca server user-db allow cert_user display-otp 
Username: cert_user
Enrollment Allowed Until: 14:40:53 UTC Fri Dec 19 2014

Above you can see our OTP. When the user requests to enroll the certificate, we’ll need to enter the OTP. Instead of OTP you can also use e-mail delivery.

Everything is now in place on the ASA. Let’s enroll the user certificate on a computer. I will use a Windows 7 computer with Internet Explorer. Open the following URL:


You will see the following screen:

Cisco ASA Local CA enroll

This is where the user can enroll a certificate. Enter the username that we created earlier and the OTP. Once you hit submit, the certificate will be created and you can download it:

Cisco ASA Local CA User certificate

Save this file somewhere, I’ll call mine “cert_user”:

Cisco ASA Local CA user certificate save

Open the folder where you saved your user certificate, right-click on the certificate file and select “Install PFX”:

Cisco ASA install user certificate

Once you do this, it will start the certificate import wizard, it looks like this:

Cisco ASA certificate import wizard

Click Next to continue and the wizard will ask what certificate we want to import:

Cisco ASA certificate import wizard file name

Our certificate is already selected so just hit Next to continue and we’ll see this:

Cisco ASA certificate import wizard OTP

The wizard prompts for the password of the private key. You need to enter the OTP here and click Next to continue. Now we need to select where we want to store the certificate:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

501 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , , ,

Forum Replies

  1. Hi

    I have ASA 5520 VPN Plus license with latest IOS disk0:/asa917-k8.bin

    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 150            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 20             perpetual
    ... Continue reading in our forum

  2. Hi

    I tested today AnyConnect VPN Client Software-4.2.01035 with my ASA and glad it works perfectly with Rene article.

    Rene, your ASA articles are amazing which so far I am testing, just a quick note, if you can add NAT statements also related to the configuration that will be great or if you add a Note that particular configuration require NAT changes as well.
    e.g. to make the Split Tunnel work we need a deny statement in NAT so it will be helpful.

    Thanks and amazing work, everything work for me like a charm.

    Stay blessed

  3. Hi Richard,

    The VPN traffic does terminate on the outside interface. Usually we use the sysopt connection permit-vpn command to permit IPsec traffic to bypass any access-list. If you don’t use it, then you’ll need to explicitly permit your IPsec traffic to the inside.

    It could be an issue on your ASA but have you also checked your router has a route back to the ASA?


  4. Hi Rene,

    Congrats, very clear tutorial. What about the NAT rule to keep untranslated the traffic between internal subnets and remote VPN hosts ? Is not it needed ?

    Please advise.

    Thank you.

  5. Hi Alessandro,

    Glad to hear you like it! You will need a NAT rule to keep traffic between remote VPN users and inside hosts untranslated. You can find the config for it in this reply:

    Cisco ASA NAT untranslate


52 more replies! Ask a question or join the discussion by visiting our Community Forum