Is is possible to setup site to site ipsec tunnel on two ASA with certificate authentication without available certificate authority for both ASA.
As per guide from: Cisco site
Certificate authority is required. Anyone could help with some materials, guides etc? Business need is to eliminate PSK.
Best Answer
From the comments I understand that you mean you have a CA, it's just not reachable by the VPN peers. (If you do not have a CA at all, things are different). As you mention yourself in the comments, installing the CA certificate on each side is enough to be able to valide the peer's certificate, and access to the CA is only required if you want to do revocation checking (i.e. download the CRL).
There are multiple ways to solve this:
1) If you control the CA, you can configure it to push the CRL out to a separate HTTP server that is accessible from the VPN peers, and include that server's URL as the CDP in the certificates.
2) If you control the CA, you can configure it to issue certificates without a CDP.
3) On the VPN peers, you can configure "crl nocheck" under the CA trustpoint.
Obviously, solution 1 would be the most secure as it still allows revocation checking.