How to force ASA to reference the certificate?

break

I'm trying to set up a VPN between two remote sites utilizing 5510 ASAs. The VPN will need to use PKI certificates instead of pre-shared keys. I have attempted to generate a certificate request, pass it to a computer set up as a "test" CA, put the cert on the ASAs and selected the certificate on the ASDM.

After I did this, I found that if I changed the pre-shared key, the VPN tunnel would not form. How can I force the ASA to reference the certificate rather than the pre-shared key? Additionally, can I install the same certificate on each firewall or do I have to generate a new request from each device?

I have been working on this for a while with no success. Thanks in advance.

phoeneous

You created the cert from a pc and not the asa? ASA's can create certs themselves.

apr911

As Phoeneous said, the ASA is capable of generating its on cert but that doesnt mean you have to use it.

Anyway, as to why you're still using the pre-shared-key its probably because you dont have an ISAKMP policy configured to use RSA-SIG.

You'll need to setup a new ISAKMP policy with a lower policy number with Authentication specified as RSA-SIG.

break

You were right. I had to change my isakmp policy to authentication rsa-sig. I'm still having difficulty figuring out how to generate the cert. The problem I face is that we are converting to using RSA-SIG and the signatures we are using have to be DoD approved, therefore coming from them and not my own ASA.