Adding Tls Trusted Hosts - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 4 Initial Configuration Tasks
The web browser initially rejects the certificate presented by IDM and ASDM because it does not trust
Caution
the CA.
IDM and ASDM are enabled by default to use TLS and SSL. We highly recommend that you use TLS
Note
and SSL.
The process of negotiating an encrypted session in TLS is called "handshaking," because it involves a
number of coordinated exchanges between client and server. The server sends its certificate to the client.
The client performs the following three-part test on this certificate:
1.
2.
3.
When you direct your web browser to connect with IDM or ASDM, the certificate that is returned fails
because the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in
the list of CAs trusted by your browser.
When you receive an error message from your browser, you have three options:
•
•
•
The most convenient option is to permanently trust the issuer. However, before you add the issuer, use
out-of-band methods to examine the fingerprint of the certificate. This prevents you from being
victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in
your web browser is the same as the one on your sensor.
If you change the organization name or hostname of the sensor, a new certificate is generated the next
Caution
time the sensor is rebooted. The next time your web browser connects to IDM or ASDM, you will receive
the manual override dialog boxes. You must perform the certificate fingerprint validation again for
Internet Explorer, Netscape, and Mozilla.

Adding TLS Trusted Hosts

In certain situations, the sensor uses TLS and SSL to protect a session it establishes with a remote web
server. For these sessions to be secure from man-in-the-middle attacks you must establish trust of the
remote web servers' TLS certificates. A copy of the TLS certificate of each trusted remote host is stored
in the trusted hosts list.
78-16527-01
Is the issuer identified in the certificate trusted?
Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the
certificate is among the list of CAs trusted by your browser, the first test is passed.
Is the date within the range of dates during which the certificate is considered valid?
Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range
of dates, the second test is passed.
Does the common name of the subject identified in the certificate match the URL hostname?
The URL hostname is compared with the subject common name. If they match, the third test is
passed.
Disconnect from the site immediately.
Accept the certificate for the remainder of the web browsing session.
Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the
certificate until it expires.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
Configuring TLS
4-35