Cisco ASA–Send the right enrollment request to the CA

A few things I forgot to mention in my previous posts. You need to send a properly formatted request the Microsoft NDES service from the Cisco ASA. This needs to include the domain and correct key size. If you do not specify these enrollment properties correctly the CA will deny the request. Usually the deny will show up in the application log indicating that the key size is wrong.

No real need to go up to a 2048 key size unless your security requirements demand it. Remember – the higher the key size and the number of connections will impact your CPU performance on the ASA.

Here is an example configuration for the ASA enrollment:



Also – be sure the NDES service has the correct security properties on the template. Go ahead and give it “Full Control” and this will check the Auto-enroll security also.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.