| Case Number |
K23200729 |
| Title |
How to convert VPN Clients with pre-shared keys to certificates on the Cisco Adaptive Security Appliance (ASA) with software version 7.2.2 |
| Core issue |
Sometimes a user is unable to enroll certificates on the Cisco ASA or VPN Client with a Microsoft Certificate Authority (CA) server that requires a challenge phrase. |
| Resolution |
In order to convert from the pre-shared key to certificates, complete these steps:
- Set up the trust point on the ASA. Refer to Configuring Certificates for more information.
- Ensure that you have an ISAKMP policy that matches this:
hostname(config)#isakmp policy 1 authentication rsa-sig
hostname(config)#isakmp policy 1 encryption 3des
hostname(config)#isakmp policy 1 hash sha
hostname(config)#isakmp policy 1 group 2
- Remove the ipsec-attributes pre-shared-key of the tunnel group and replace it with trust-point trustPointName. Refer to Enrolling and Managing Certificates for details on how to install the certificate on the VPN Client.
The security mechanisms with certificates require the remote user to initiate the request. But, you can respond manually to the requests and send back the response.
Refer to the Enrolling Through a File Request section of Enrolling and Managing Certificates for details on how this can be done from the user perspective.
Refer to the About Revocation Checking section of Configuring Certificates for more information on how to set up and test the CRL.
Refer to Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1 for more information. |
| Problem Type |
How to (General Information) |
| Product Family |
VPN - hardware & software clients
ASA Hardware & Software |
| VPN Client Software Version |
Cisco VPN Client |
| ASA Software Version |
7.2 |
| ASA Models |
ASA 5500 |
| VPN Tunnel End Points |
Client
ASA |
| VPN Protocols |
Certificates - Public Key Infrastructure (PKI)
Pre-shared key |
| Direct URL |
http://www.ciscotaccc.com/security/showcase?case=K23200729 |
