ASA Local CA Depreciated: Use Windows CA

KB ID 0001616

Problem

I got an email about this last night, I rarely ever use the ASA as a Local CA, But that has now been completely depreciated, (post version 9.12(x)) The documentation tells us;

Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued certificates. This feature has become obsolete and hence the crypto CA server command is deprecated.

OK, so if you want to ‘self sign’ certificates then you can use Microsoft Certificate Services. 

Solution

Setting up Microsoft Certificate Services is a subject I’ve ‘done to death’ see the following article;

Microsoft PKI Planning and Deploying Certificate Services

What about user/computer certificates? See the following article.

Deploying Certificates via ‘Auto Enrollment’

Can I automate this? Yes use NDES.

Cisco ASA – Enrolling for Certificates with NDES

Related Articles, References, Credits, or External Links

NA

Certificate Services – Create a ‘Wildcard Certificate’

KB ID 0001128

Problem

Now you may be thinking, “If you have your own CA/PKI solution why would you need to create a Wildcard Certificate”? If you can generate as many certificates as you want whats the point? Well today I need to setup ADFS, WAG (Web Application Gateway), and Remote Desktop Services Gateway Server. To make the whole thing wok on my test bench would be a lot less hassle if I could just use one certificate for everything!

Solution

Process carried out on Windows Server 2012 R2

Windows Key +R > MMC > {Enter} > File > Add/Remove Snap-in.

Certificates > Add.

Computer account > Next.

Local Computer > Finish.

OK.

Certificates > Personal > Right Click > All Tasks > Advanced Operations > Create Custom Request.

Proceed without enrolment policy > Next.

In nearly every case you can accept the default of ‘(No template) CNG Key’ However some applications (Particularly Active Directory Federation Services), need to user an older set of Cryptographic Service Providers (CSP’s). If that is the case change the option to ‘(No Template) Legacy Key’. > Next.

Details > Properties.

General Tab: Friendly Name > *.{your domain}.

Subject Tab: Ensure the Common Name (CN) is set to *.{your domain} > Enter the rest of your details as shown.

Extensions Tab: Add in Digital Signature and Key Encipherment.

Private Key: Key Size=4098 > Make private key exportable > Apply > OK.

Save the certificate request > Finish >Leave the Certificate console open, (you will need it later).

Locate the certificate request you just saved > Open it with Notepad > Select ALL the text and copy it to the clipboard.

Open the web enrolment portal of your certificate services server (https://server.domain.com/certsrv) > Request a certificate.

Advanced Certificate Request.

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste in the Text > Certificate Template = Web Server > Submit.

Base 64 encoded > Download certificate.

Save the certificate, and change its name from certnew > Save.

Back in the certificate console > Right Click ‘Persona’l > All Tasks > Import.

Next.

Navigate to the certificate you have just saved.

Next.

Finish.

Hopefully.

Now this may seem a little odd, but having just imported the certificate, to get it in PFX format you need to export it again. Right click the cert > All Tasks > Export.

Next

Yes, export the private key > Next.

Personal Information Exchange > Next.

Enter and re-type a password (You will need this to import the certificate so remember it) > Next.

Save it somewhere you can find it > Next.

Finish > OK.

Related Articles, References, Credits, or External Links

NA

Cisco PRSM – Replace the Certificate Using Microsoft Certificate Services

KB ID 0001023 

Problem

Cisco PRSM gives you the ability to import certificates into it, but like other Linux distros does not give you the tools to generate the actual certificate request. The documentation tells you to use OpenSSL to this. I was just about to fire up a CentOS box when I remembered I did something similar for VMware 5.5 not so long ago, would the same procedure work here? Yes it did, and it’s a lot easier than growing a ginger ponytail, donning sandals and firing up Linux.

Solution

The following procedure was carried out on Windows Server 2012 R2. I want my certificate to have a common name of prsm.petenetlive.com (change your configs and commands accordingly).

1. Download and install the following.

Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)

2. Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.

2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.

[box]

[ req ]
default_bits = 2048
default_keyfile = prsm.petenetlive.com.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:PRSM, IP:123.123.123.110, DNS:prsm.petenetlive.com

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Teesside
localityName = Middlesbrough
0.organizationName = PeteNetLive
organizationalUnitName = Technical Services
commonName = prsm.petenetlive.com

[/box]

3. Open an administrative command window, issue the following three commands;

[box]

cd C:OpenSSL-Win32Bin

openssl req -new -nodes -out prsm.petenetlive.com.csr -keyout prsm.petenetlive.com-orig.key -config openssl.cfg

openssl rsa -in prsm.petenetlive.com-orig.key -out prsm.petenetlive.com.key

[/box]

Don’t worry if it says it cant read the openssl.cnf file

4. If you look in C:OpenSSL-Win32bin directory you will see the CSR (certificate request) has been generated.

5. Open the .csr file with notepad and copy all the text, (this is a request in PEM format). This is what you will give to your CA to request the certificate, copy that to the clipboard.

6. Connect to your Certificate Authority web enrollment portal > Request a certificate.

7. Advanced certificate request.

8. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

9. Paste in the PEM text you copied to the clipboard > Set the certificate template to ‘Web Server’ > Submit.

Note: Your CA may have a different template for web server certificates, if so use that one. If you don’t see web server either it’s not been published, or your user does not have rights to the certificate template.

10. Choose ‘Base 64 encoded’ > Download > Save the cert in the directory you were using earlier (you will see why in a minute) > I give it the same name as the common name on the certificate so I saved it as prsm.petenetlive.com.cer

11. Here it is, but there is still a problem with it, PRSM needs the certificate in x509 format, (it isn’t). But OpenSSL-Win32 can convert it for us.

How to Convert a Windows .cer file to an x509 .crt file

12. Open and administrative command window and issue the following two commands;

[box]

cd C:OpenSSL-Win32bin
openssl x509 -in prsm.petenetlive.com.cer -out prsm.petenetlive.com.crt

[/box]

13. Now it looks better, for PRSM we need this file AND we need the .key file, (not the one that ends in xxx-orig.key!) In the example below I’ve kept everything neat so the other file i need is prsm.petenetlive.com.key, (third one down).

14. Connect to PRSM > Administration > Server Certificates > Browse and select both files.

15. Install and Restart Server.

16. Restart.

17. Refresh your web session and you should now be using the correct certificate.

Related Articles, References, Credits, or External Links

NA