09-28-2018 09:18 AM - edited 02-21-2020 08:17 AM
ASHI,
I have a cluster of 2 firepower/ASA in Actif/passif state.
This cluster will be used as a remote VPN gateway.
I thought about buying a public certificate to avoid the warning message of anyconnect when the ASA will present its self signed certificate.
My question is : do I need only one certificate to be installed on both ASA or should I buy 2 (1 certificate for each ASA) ?
Is there any specific recomendations for the certificate : key size, algorithm,HAsh type...
thank you
Solved! Go to Solution.
09-28-2018 10:48 AM - edited 09-28-2018 10:50 AM
Hi,
You will install one certificate on the active device and then use "write standby" to replicate the certificate to the secondary device.
"There is no need to manually copy the certificates from the Primary to Secondary ASA as the certificates should be synced between the ASAs as long as Stateful Failover is configured. If on initial setup of failover, the certificates are not seen on the Standby device, issue the command write standby in order to force a sync."
Here is some more information:
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html
Br, Mikael
09-28-2018 10:48 AM - edited 09-28-2018 10:50 AM
Hi,
You will install one certificate on the active device and then use "write standby" to replicate the certificate to the secondary device.
"There is no need to manually copy the certificates from the Primary to Secondary ASA as the certificates should be synced between the ASAs as long as Stateful Failover is configured. If on initial setup of failover, the certificates are not seen on the Standby device, issue the command write standby in order to force a sync."
Here is some more information:
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html
Br, Mikael
10-03-2018 12:20 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: