Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
15
Helpful
2
Replies

Public certificate for ASA remote VPN.

Go to solution
sam cook
Spotlight
Spotlight

‎09-28-2018 09:18 AM - edited ‎02-21-2020 08:17 AM

ASHI,

 

I have a cluster of 2 firepower/ASA in Actif/passif state.

 

This cluster will be used as a remote VPN gateway.

 

I thought about buying a public certificate to avoid the warning message of anyconnect when the ASA will present its self signed certificate.

 

My question is : do I need only one certificate to be installed on both ASA or should I buy 2 (1 certificate for each ASA) ?

 

Is there any specific recomendations for the certificate : key size, algorithm,HAsh type...

 

thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mikael.lahtela
Level 4
Level 4

‎09-28-2018 10:48 AM - edited ‎09-28-2018 10:50 AM

Hi,

You will install one certificate on the active device and then use "write standby" to replicate the certificate to the secondary device.

 

"There is no need to manually copy the certificates from the Primary to Secondary ASA as the certificates should be synced between the ASAs as long as Stateful Failover is configured. If on initial setup of failover, the certificates are not seen on the Standby device, issue the command write standby in order to force a sync."


Here is some more  information:
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Br, Mikael

View solution in original post

2 Replies 2

Go to solution
mikael.lahtela
Level 4
Level 4

‎09-28-2018 10:48 AM - edited ‎09-28-2018 10:50 AM

Hi,

You will install one certificate on the active device and then use "write standby" to replicate the certificate to the secondary device.

 

"There is no need to manually copy the certificates from the Primary to Secondary ASA as the certificates should be synced between the ASAs as long as Stateful Failover is configured. If on initial setup of failover, the certificates are not seen on the Standby device, issue the command write standby in order to force a sync."


Here is some more  information:
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Br, Mikael

Go to solution
sam cook
Spotlight
Spotlight
In response to mikael.lahtela

‎10-03-2018 12:20 AM

Thank you mikael
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card