• Cisco AnyConnect SSL/TLS Trustpoint

    I wanted to put together a quick tutorial for setting up a Cisco ASA – AnyConnect with SSL/TLS. I’ve done it a few times and I always have to re-lookup each step and the order in which to do it, so why not make a quick post about it to remember!

    Optional: Destroy Current Trustpoint

    You will have to destroy or clear out the current trustpoint if it already exists. This must be done if you are going to re-generate the key, which is best practice when renewing a Certificate due to expiration or one that has been compromised.

    asa01(conf)# no crypto ca trustpoint oldtrustpoint.trustpoint
    • It will warn you that it will destroy any certificates within the trustpoint.
    Generate a Key

    Here we start with the generation of our key, using 2048 bits. the key name can be anything you want, but I like call it by the service I will be putting it on, for my case for this tutorial is accessthejimmahknowscom.key

    asa01(conf)# crypto key generate rsa label accessthejimmahknowscom.key modulus 2048
    Setting up the trustpoint locale and generate a CSR for submission

        First we need to set up a trustpoint object, with our locale properties, etc

    asa01(conf)# crypto ca trustpoint newtrustpoint.trustpoint
    asa01(config-ca-trustpoint)# subject-name CN=access.thejimmahknows.com,O=thejimmahknows,C=US,St=Connecticut,L=Wethersfield
    asa01(config-ca-trustpoint)# keypair accessthejimmahknowscom.key
    asa01(config-ca-trustpoint)# fqdn access.thejimmahknows.com
    asa01(config-ca-trustpoint)# enrollment terminal
    asa01(config-ca-trustpoint)# exit
    
    • newtrustpoint.trustpoint — The name I gave to this trustpoint which will tie everything together.
    • subject-name This command holds the distinguished name of the Certificate’s profile, see RFC3039
    • keypair — This is what key to pair the trustpoint with, we generated this in the previous step.
    • fqdn — This is the main FQDN of our service that will use the trustpoint
    • enrolment terminal — This tells the Cisco ASA to output the CSR (which we will create in the next step) to the terminal screen. Otherwise you will have to SFTP to the ASA and download it.

    [Read More…]

↓