Cisco ASA and/or IOS support


#1

Hey all,

I’m relatively new to Let’s Encrypt and would like to know if there’s any support for generating valid SSL certificates for Cisco AnyConnect on the Cisco ASA firewalls/ISR routers?

If so, where can I find the required SSL certificate chain to install into my router and how do I sign the SSL certificate on my Linux machine? Can I just generate a 64-bit encoded SSL certificate request, copy it to my Linux machine and just sign it using the tool and copying the response back onto my router or firewall (after installing the root and intermediary SSL certficiate of course)?


Fortigate SSL Inspection?
#2

Let’s Encrypt will probably not fit to your needs:

First of all you need to proof the possession of the domain - you could use another server to do so. Therefore you have to run the let’s encrypt client in the standalone mode and generate the certificate and copy it afterwards on to the ASA.
BUT this has to be done every 90 days.
The Let’s Encrypt client is designed automates the whole process including the renewal, on a webserver.

Cisco may support the ACME-Protocol in the future (Let’s Encrypt based on it), but for now you may use an alternative like WoSign: Install a certificate on Cisco ASA 5520


Fortigate SSL Inspection?
#3

While this ‘lets automate it’ is all very good and well, it shouldn’t be at the detriment to those that can’t (or don’t want to, it is after all a pretty critical thing that could screw things up royally if it goes wrong) do it automatically.


#4

First of all, thank you for the information.

Proof of the domain is not a problem, I can use NAT or forward the domains to an internal server for a few hours or to the DMZ to an IP address.

I’ll try and see whether I can have a Linux server function as a in-between server with a script with a bash script that connects to IOS through SSH and executes commands on IOS using automated IOS step procedure using a cron job on the Linux server.I think that’ll be the best way to go and roll it out to our customers, though it’s a security risk as you put the admin credentials of the IOS router in a script :(.


#5

Seeing as Cisco is a major sponsor I would be shocked if a cisco never adds lets encrypt support to IOS. It might take a while before it comes out but I bet it’s coming.


#6

Firstly, I am excited about the work that Let’s Encrypt is doing to expand pervasive TLS on the web.

What is the process to get an Enhancement Request opened and accepted by the Let’s Encrypt team? Do you guys require a certain minimum business value? A certain minimum number of “customers” who would benefit?

For those using platforms like IOS, etc that cannot support ACME protocol at this time, would the equivalent of Product Manager for LE consider accepting an enhancement request to add a Registration Authority that operates as a SCEP proxy in addition to the ACME protocol RA? This would open Let’s Encrypt up to many more platforms, and is predicated on some of the same goals as ACME protocol.

Thank you.


#7

@dtk, there’s currently no formal process to request new features in Let’s Encrypt services. Posting on this forum is a good way to express interest because people working on the project read it frequently. Right now everyone is working hard on features that are essential for general availability next month, so there’s no realistic prospect of enhancements like new validation methods before then.


#8