topic Re: ASA to FTD migration - SSL trustpoint for multiple domain question in Network Security

ASA to FTD migration - SSL trustpoint for multiple domain question

Matus Kozak — Tue, 02 Jul 2024 08:04:37 GMT

Hello,

on the old ASA FW I had ssl configuration for multiple domain... for VPN and Anyconnect use. If user wrote to Anyconnect vpn.domaina.example it matches correct certificate and Anyconnect client was without warning about untrusted certificate...

example:
ssl trust-point TRUSTPOINT-A domain vpn.domainA.example
ssl trust-point TRUSTPOINT-B domain vpn.domainB.example
etc.

Is it possible to do this on FMC/FTD? 7.2.5
I did not find it, I tried to look at flex config, maybe I miss something...

thanks.

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

MHM Cisco World — Tue, 02 Jul 2024 10:20:14 GMT

can you more elaborate

MHM

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

Matus Kozak — Tue, 02 Jul 2024 12:31:08 GMT

it is simple...

how to move ASA config:
"ssl trust-point TRUSTPOINT-A domain vpn.domainA.example
ssl trust-point TRUSTPOINT-B domain vpn.domainB.example"

to FTD. That you have more domains (vpn domains/url) on same FTD with matching correct start (*) certificate (*.domain.xyz) to avoid that user will see warnings about untrusted site certificate if it does not match.

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

tvotna — Tue, 02 Jul 2024 12:57:38 GMT

@Matus Kozak, are you sure that adding "domain" option to the "ssl trust-point" command solves untrusted certificate issue because ASA is able to choose correct trustpoint when client connects? How do you start connection, from the browser or right from the AnyConnect client?

I'm confused, because AnyConnect client doesn't support TLS SNI extension yet, which is a design bug CSCue35947 / CSCvh77602. So, if the client doesn't send SNI, the ASA doesn't know which "virtual server" the client connects to during TLS handshake and hence cannot choose correct certificate for the respective domain (group-url)...

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

Matus Kozak — Tue, 02 Jul 2024 13:49:39 GMT

@tvotna well, I'm sure that I dont have an issue with cert and untrusted domain, on the ASA 9.12(4) it is working and does not matter if it is Anyconnect or browser. So if I go to one url I have correct cert and if I go to second url again I have correct cert for second domain.

I migrated ASA to FTD and I would like to use similar config on FTD that I have more domains and need to match correct cert (webserver? cert)

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

tvotna — Tue, 02 Jul 2024 17:33:08 GMT

I'm puzzled. I don't understand how this can work on ASA. Let's ask @ccieexpert , maybe he can shed some light.

FMC doesn't have an option to configure "domain" as you mentioned. So, the only option is to use flexconfig here.

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

ccieexpert — Wed, 03 Jul 2024 06:34:21 GMT

the secure client does support SNI.. unfortunately from what I can see flexconfig does not support it. you may want to talk to your partner or Cisco account team to take it up with the business unit...

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

tvotna — Wed, 03 Jul 2024 08:57:15 GMT

Right. Looking at the sniffer trace I can confirm that AnyConnect 4.10 sends SNI. Looks like Cisco fixed this issue at some point, but forgot to update CSCvh77602.

@Matus Kozak, the solution is to generate new FTD certificate and include all of FTD hostnames into the SAN certificate field.

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

MHM Cisco World — Wed, 03 Jul 2024 12:41:56 GMT

I think you need two point here if I am correct
1- FTD using wildcard

https://community.cisco.com/t5/vpn/ftd-vpn-wildcard-certificate/td-p/4184374

2- FTD using cert mapping

https://integratingit.wordpress.com/2023/07/14/ftd-anyconnect-certificate-map/

this make FTD use wildcard for both anyconnect two group and FTD use user cert to mapping it to correct profile
MHM

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

Matus Kozak — Wed, 03 Jul 2024 14:00:40 GMT

@tvotna , I dont need more FTD hostnames and include them into the SAN. I need multiple certificates (wildcards) to match multiple domain names as I wrote in first post.

@MHM Cisco World , thanks. 2-FTD cert mapping is for user authenticatioin, it's good but I dont need this.
I have two wildcard certs for two different domains... I need similar functionality how it was on the ASA... domain cert match. So I have trust-point for one domain, second trust-pont for second domain an if somebody write to anyconnect or browser https://firstdomain it matches first cert and https://seconddomain it matches second trustpoint. Two (or more) domains on outside interface, same IP. Hope it is clear.

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

MHM Cisco World — Wed, 03 Jul 2024 14:24:44 GMT

in ftd when you add anyconnect connection profile you can select which cert. Ftd will use for this profile abd here you can use wildcard cert.

So first add two cert to ftd one for each CA (trsut point) and then use each one for different anyconnect profile.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

You have two choice 1- use pkts 2- use manual' i.e. generate csr and sign identity cert of ftd from ca.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html

That it.

MHM

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

tvotna — Wed, 03 Jul 2024 15:38:37 GMT

@Matus Kozak, instead of multiple certificates use single certificate and include *.domainA.example and *.domainB.example into the SAN field. You can put as many hostnames or domainnames into the SAN as you need when creating certificate signing request on Windows or with OpenSSL (ASA/FTD cannot do this). That simple.

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

ccieexpert — Wed, 03 Jul 2024 18:53:56 GMT

the problem or challenge is that multiple engineers can file bug and they become duplicate... and at times a QA/developer may file a new bug...you can open a TAC case and have them link all of these as duplicates to the bug that added the feature..

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

ccieexpert — Wed, 03 Jul 2024 19:00:34 GMT

I think until they implement that features, the suggestion to use multiple wildcard in one cert maybe the way to go 🙂

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

Matus Kozak — Sat, 27 Jul 2024 19:33:23 GMT

one option which worked for me was to change HostName and HostAddress in XML profile...

for example:

<HostName>domain1.example.com</HostName>
<HostAddress>domain2.example.com</HostAddress>

or vice versa.

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

tkiel — Wed, 03 Sep 2025 13:28:03 GMT

Hi Matus

Is it correct that you did not solve the issue and had to do a workaround?

I have the same issue, and yes, we can implement a workaround, but this is a feature working on a ASA but is blocked on FTD/FMC.

regards Thomas

Re: ASA to FTD migration - SSL trustpoint for multiple domain question

MHM Cisco World — Wed, 03 Sep 2025 13:30:26 GMT

Make new post please

MHM