Manage CA Certificates for VPN Connections

When devices connect to networks using virtual private networks (VPNs), Cisco Secure Access authenticates the users and devices through the organization's Certificate Authority (CA) certificate.

Set up the trust between Secure Access and the user devices in the organization that connect over a VPN:

  1. Install a certificate signed by your organization's Certificate Authority (CA) on all devices.
  2. Upload your organization's signed CA root certificate to Secure Access.

Table of Contents

Prerequisites

Install a Certificate Authority Certificate on User Devices

Install your corporate Certificate Authority (CA) root certificate on the user devices in your organization. For information about installing certificates on devices, see Install the Cisco Secure Access Root Certificate.

Procedure

View Notifications About Expired VPN Certificate Authority Certificates

  1. Navigate to Secure > Certificates > VPN Certificate Authority.
  2. Secure Access displays a banner if a certificate has expired or will expire within 90 days:

Upload VPN Certificate Authority Certificates

  1. Navigate to Secure > Certificates > VPN Certificate Authority.
  2. Click Upload CA Certificate.
  1. Upload your signed CA root certificate, and then click Save.

View VPN CA Certificates

  1. Navigate to Secure > Certificates > VPN Certificate Authority.
    Secure Access lists the certificates uploaded by your organization.

Issued to—The name issued to the VPN CA certificate.

Issuer—The CA that issued the certificate.

Serial—The serial number of the certificate.

Expiration—The date when the certificate is no longer valid.

Manage Certificate Revocation Settings

  1. Navigate to Secure > Certificates > VPN Certificate Authority.
  2. Click on an VPN CA certificate Issued to link to open the certificate details.
  1. For Revocation settings, enable Check for revocation.
  2. For Protocol, check Online Certificate Status Protocol,
    a. Check Use AIA from certificate.
    b. Check Manual.
  3. For Protocol, check Use CRL distribution point (CFP) from certificate.
  1. Click Save.

View the CA Certificate Details

  1. General certificate details:

Type—The type of the certificate.

Serial Number—The serial number of the certificate

Public Key Type—The type of the public key.

CRL DP—Certificate Revocation List (CRL) Distribution Point. The location where you can check the revocation of the certifcate.

Valid From—The date from which the certificate is valid.

Valid To—The date when the certificate is not valid.

Associated Trustpoints

Signature Algorithm—The cryptographic hash algorithm (Secure Hashing Algorithm 256).

  1. Issued to certificate details.

The entity that uses the certificate to build a trust relationship with Secure Access.

Common Name—The fully-qualified domain name that is secured by the certificate.

Organization—The organization that is issued the certificate.

Country—The country where the certificate was issued specified in the two-character country code.

  1. Issuer certificate details.
    The issuer is the entity (trusted authority) that issues the certificate.

    Common Name—The fully-qualified domain name that is secured by the certificate.

    Organization—The organization that issued the certificate.

    Country—The country where the certificate was issued specified in the two-character country code.

Delete a VPN Certificate

  1. Navigate to Secure > Certificates > VPN Certificate Authority.
  1. To remove a certificate, follow the steps in one of the options:
    a. Click on an VPN CA certificate Issued to link to open the certificate details, and then click Delete. Click Delete again to confirm the removal of the certificate.
    b. Hover over the ellipsis (**) and click Delete. Click Delete again to confirm the removal of the certificate.

VPN Certificates for User and Device Authentication < Manage CA Certificates for VPN Connections > Manage the Data Loss Prevention Policy