topic Re: Multiple SSL certificate on ASA or Router in Network Security

Multiple SSL certificate on ASA or Router

mrmozaffari — Tue, 12 Mar 2019 01:17:56 GMT

Hi everyone,

Is this possible to install multiple SSL certificate on Router or ASA?

I have two subdomains exchange.xyz.com and dialin.xyz.com and there is have one certificate for both but for Lync.abc.com i have another SSL certificate, as an example exchange.xyz.com and dialin.xyz.com ip address is a.b.c.55

and Lync.abc.com is abc.60

Please Advise.

Multiple SSL certificate on ASA or Router

Julio Carvajal — Fri, 22 Mar 2013 00:39:12 GMT

Hello,

You can have more than one SSL certificate on your ASA but at the time of applying it to an interface you can just use one

Regards,

Multiple SSL certificate on ASA or Router

mrmozaffari — Fri, 22 Mar 2013 00:50:04 GMT

How about Router?

And please tell me what do you mean at the time?

If it means you can only assign one certificate to your interface why it is possible to have more than one certificate in your firewall?

Regards,

Re: Multiple SSL certificate on ASA or Router

Julio Carvajal — Fri, 22 Mar 2013 00:57:09 GMT

And please tell me what do you mean at the time?

If it means you can only assign one certificate to your interface why it is possible to have more than one certificate in your firewall?

It means that you can have only one certicate on each interface,

Same thing on the routers, one Certiface/trustpoint per interface

Re: Multiple SSL certificate on ASA or Router

Javier Portuguez — Fri, 22 Mar 2013 02:11:18 GMT

As mentioned by Julio, you can only have one ssl trustpoint per interface.

However, you can have multiple SSL certificates on each device. Maybe for certificate authentication purposes, you do not apply these certificates on interface though.

You could have more than one domain on the ASA, just set up a VPN load-balancing cluster.

ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide

So you have one certificate applied to the outside interface and one applied to the VPN cluster.

HTH.

Portu.

Re: Multiple SSL certificate on ASA or Router

mrmozaffari — Fri, 22 Mar 2013 16:54:28 GMT

OK Thanks for replys,

Guys please forget the ASA, now i'm asking about Router.

I want to have my certificate on my router no for vpn purpose.

I want to publish my exchange and lync server on my router and they have different ip addresses and different FQDN.

I need to use two ip address on same interface, IP secondary.

And i'm going to assign private ip address on both servers and Nat them on Cisco Router.

So users on internet use these links https://RouterIPaddress1 and https://RouterIPaddress2

What now?

Re: Multiple SSL certificate on ASA or Router

MarecekSK — Wed, 20 Oct 2021 10:04:36 GMT

Julio, is it possible to have the same SSL certificate for two different interfaces (In my case on Cisco ASA 9.14)? I don't want to affect connected VPN users, so I'm afraid to change the configuration.

This is the relevant part of the configuration.

ssl trust-point Certificate_Trustpoint_Name outside
webvpn
enable outside
enable visitors
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 3
anyconnect enable
cache
disable

When I'm connecting to "outside" everything is going right. But when I'm trying to connect to "visitors" so I'm getting a ASA temporary self signed certificate.

Thank you for your reply and I apologize for my English.

Re: Multiple SSL certificate on ASA or Router

MarecekSK — Thu, 21 Oct 2021 09:53:50 GMT

I was trying to change config at night.
It is possible to use same SSL trustpoint on different interfaces.
I was afraid that the originally entered command (for interface outside) would be overwritten.

ASA-HQ# sh run | i ssl trust
ssl trust-point CERTIFICATE_NAME_24032021 outside
ssl trust-point CERTIFICATE_NAME_24032021 visitors
ASA-HQ# sh crypto ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS) (DEPRECATED)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Interface outside: CERTIFICATE_NAME_24032021 (RSA 4096 bits RSA-SHA256)
Interface visitors: CERTIFICATE_NAME_24032021 (RSA 4096 bits RSA-SHA256)
Certificate authentication is not enabled

Re: Multiple SSL certificate on ASA or Router

Marvin Rhoads — Fri, 22 Oct 2021 03:44:35 GMT

The discussion you are replying to is from 2013.

Please start a new discussion and present your use case for a better understanding of what you want to do.

Re: Multiple SSL certificate on ASA or Router

MarecekSK — Fri, 22 Oct 2021 06:09:41 GMT

It isn't needed. As I mentioned in the previous reply, I was trying to change the config at night(outside production hours) and my question was answered by this successful change.

Thank you.