topic Wildcard SSL cert on ASA in Network Security

Wildcard SSL cert on ASA

S891 — Tue, 12 Mar 2019 06:28:52 GMT

Hi,

I have ASA Firewall that will host both our Anyconnect VPN and clientless SSL Webvpn. I am planning to install public CA cert. It will require two certs , one for each vpn. The ASA hostname will not be just a regular firewall hostname. I am cautious as clients browsers or anyconnect client will prompt error message that SSL cert does not match hostname.

So the ASA hostname will be ASA1.abcd.com, the anyconnect cert will have CN name vpn.abcd.com, the ssl webvpn cert will have CN name webvpn.abcd.com. This may present a problem as I stated above as the CN names will not match hostname.

What are possible solutions? I have read a few things about Wildcard ssl certificate. A Wildcard SSL certificate *.abcd.com may possibly work???

Any suggestions?

Thanks

There is no problem for the

Karsten Iwen — Sun, 23 Aug 2015 15:46:33 GMT

There is no problem for the VPN when the fqdn doesn't match the hostname.

For your scenario, there are multiple options:

Use a certificate with SANs (subject alternative names). These certificates can have multiple fqdns. This is probably the cheapest solution.
Use a wildcard certificate as you mentioned above. With some vendors, these are more expensive then certificates with SANs.
If you want to use multiple certificates as mentioned at the beginning of your post, you need a fairly new release. Not sure which one it was, but in 9.3 or 9.4 you van have different certificates on one interface for different fqdns.

Thanks Karsten. When you say

S891 — Sun, 23 Aug 2015 18:16:40 GMT

Thanks Karsten. When you say "there is no problem for the VPN when the fqdn doesn't match the hostname" do you mean after applying these options, or generally there is no issue if cert CN name does not match the hostname. I have seen the problem happening many times and it appears as a warning on client side.

I think option 1 or 2 is the simplest and doable. With option 2 I can have multiple CN names including VPN's and hostname's. So in my example from above there will be CN Name : CN1: ASA1.abcd.com, the anyconnect cert will have CN2: vpn.abcd.com, the ssl webvpn cert will have CN3: webvpn.abcd.com.

Thank

> I have seen the problem

Karsten Iwen — Mon, 24 Aug 2015 06:56:15 GMT

> I have seen the problem happening many times and it appears as a warning on client side.

What kind of warning do you see? If you have a different name in the certificate and you access the VPN with the name in the certificate, there shouldn't be any warning.

> So in my example from above

Both in case 1) and 2) there will only be one certificate, but that can be used with more than one name.