Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
4
Replies

ASA Self-signed certificates, primary and secondary

Go to solution
Leroy Plock
Level 1
Level 1

‎11-02-2015 09:46 AM - edited ‎03-11-2019 11:49 PM

Hello.

Doing some ASA upgrades, and dealing with the Java certificate requirements.

We upgraded on primary/secondary pair no problem and got the self-signed certificate installed into Java. We can access the primary with no issues or warnings.

However when we access the secondary, java complains that the IP address we're going to doesn't match the CN in the certificate.

Looking at the ASA, there are separate self-signed certificates for the IP of the secondary as well as the primary, but obviously the secondary is presenting a certificate with the primary's IP in the CN. And I see no way to influence which cert the ASA presents to the client.

I would think the easy way to deal with this would be to remove the existing self-signed certificates, generate a new one which includes two CNs, one for each IP. Now the certificate should be valid no matter which IP we're going to.

This seems straightforward, but I couldn't find any documentation saying this was a standard practice, so wondered if I was missing something.

Does anyone see a problem with this approach, and if so can you suggest a better way?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-02-2015 11:12 AM

You can use it the way with both IPs in the certificate. Even better, include the internal FQDNs so that you can access them by name and not only by IP.

For maximum campatibility, include the IPs as IP-based SANs *and* as DNS-based SANs.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎11-02-2015 11:12 AM

You can use it the way with both IPs in the certificate. Even better, include the internal FQDNs so that you can access them by name and not only by IP.

For maximum campatibility, include the IPs as IP-based SANs *and* as DNS-based SANs.

0 Helpful

Go to solution
Leroy Plock
Level 1
Level 1
In response to Karsten Iwen

‎11-02-2015 11:51 AM

Karsten,

Great, thanks for the swift and clear reply.

Followup question: We have a number of ASA primary/secondary pairs. Being lazy, I don't want to generate a separate certificate for each pair and import them all into Java. I'm thinking I can generate ONE certificate that includes the IPs for ALL the ASAs, import that certificate onto all the other ASAs and into Java, and I'm done. I don't see that this in any way presents a security issue, do you?

Thank you.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Leroy Plock

‎11-02-2015 12:36 PM

Working that way is not that uncommon, but still has security-implications that should be known.

If one of the ASAs (or the private key) get compromized, then you can't revoke the certificate of a single system. It has to be done for all ASAs at the same and in a short time-frame.

If you decide that it's an acceptable risk, then go for it.

0 Helpful

Go to solution
Leroy Plock
Level 1
Level 1
In response to Karsten Iwen

‎11-02-2015 12:42 PM

True, and to export/import the cert between ASAs you have to export the private key which isn't the best practice. But this is just about protecting the ASDM client to be sure it is connecting to a trusted ASA for administration. It has no effect on anyone accessing the network and doesn't protect the ASA from rogue administrators.

As you say, it's a matter of acceptable risk.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card