Once you have disabled the local CA, you are now free to configure the ASA firewall with a properly-signed identity certificate.

  1. Create a CSR on the ASA firewall and send it to the external CA. The ASA needs an Identity Certificate signed by the external CA. For assistance, follow Cisco’s instructions for Generating a CSR on the ASA firewall.

    After you have completed all the steps, a *CER file (for example, cert_client_id.cer) downloaded to your local machine that was obtained from the external CA.

  2. Download the certificate from the external CA and install it on the ASA firewall to authenticate that the external CA is a trusted source. For assistance, follow Cisco’s instructions on how to install the external CA’s certificate.

    Certs_Cisco_IPSec4

  3. Install the Identity Certificate that you previously downloaded from the external CA. This certificate is used to verify that the Identity Certificate users authenticate with the same parameters and are coming from the same external CA as the Identity Certificate on the ASA firewall. For assistance, follow Cisco’s instructions on how to install ASA’s Identity Certificate. After completing these steps, the Identity Certificate that the external CA created is now installed on your ASA firewall.

    Certs_Cisco_IPSec5

  4. Configure the VPN settings on the ASA. To begin, you must enable AnyConnect access on the appropriate VPN interface. Follow instructions on the Cisco Web site on how to enable the AnyConnect client access to the ASA.
  5. Specify the group policy that is applied to AnyConnect clients and devices that connect to SSL VPN through the ASA firewall. Follow instructions on the Cisco Web site on how to create a SSL VPN Group Policy that is used by the ASA firewall.
  6. Set up the connection profile and tunnel group to define the connection parameters of the SSL VPN session used by AnyConnect clients. For assistance, follow instructions on the Cisco Web site.

    While creating a connection profile and tunnel group on the ASA for SSL VPN clients, a screen similar to the image here appears so that you can configure the PublicCertVPN SSL VPN Connection Profile. When this screen appears, make sure that you select Certificate instead of AAA authentication.

    Certs_Cisco_AnyConnect6

Next Steps

You have completed all the steps necessary to configure the external CA and ASA firewall to create a trust using certificates. You have enabled access, created a group policy, and created a connection profile so that SSL VPN certificate authentication can now be used with Cisco AnyConnect clients to gain access into your enterprise network.

Now, you can connect a device to your network using SSL VPN. The last step is to configure Workspace ONE UEM to manage devices. Continue to the following steps to integrate Workspace ONE UEM.

See Integrate Workspace ONE UEM with the External CA for more information.