Once you have disabled the local CA on the ASA firewall, you are now free to configure the IPSec VPN.

  1. Create a CSR on the ASA firewall and send it to the external CA. This is because the ASA needs an Identity Certificate signed by the external CA. For assistance, follow Cisco’s instructions for Generating a CSR on the ASA firewall.

    After you have completed all the steps, a *.cer file (e.g., cert_client_id.cer) downloaded to your local machine that was obtained from the external CA.

  2. Download the certificate from the external CA and install it on the ASA firewall to authenticate that the external CA is a trusted source. For assistance, follow Cisco’s instructions on how to install the external CA’s certificate.


  3. Install the Identity Certificate that you previously downloaded from the external CA. This is used to verify that the Identity Certificate users authenticate with the same parameters and are coming from the same external CA as the Identity Certificate on the ASA firewall. For assistance, follow Cisco’s instructions on how to install ASA’s Identity Certificate. After completing these steps, the Identity Certificate that was created by the external CA is now installed on your ASA firewall as shown below:


  4. Configure the IKE policies, tunnel properties and policies, group policies, available VPN client IP addresses (pool), user accounts and group assignments, and associate these configurations to create an IPSec profile used by the VPN clients.

    Visit the Cisco website for instructions on creating a remote access connection profile and tunnel group on the ASA for IPSec VPN clients. Complete the steps necessary to configure the external CA and ASA firewall to create a trust using certificates and configure a remote access connection profile and tunnel group so that IPSec VPN certificate authentication can be used by your VPN clients to gain access into your enterprise network.

    At this time, you should be able to connect a device to your network using IPSec VPN. The last step is to configure Workspace ONE UEM to manage devices. Continue to the following steps to integrate Workspace ONE UEM.

    Next, you must Integrate Workspace ONE UEM with the External CA.