Showing results for 
Search instead for 
Did you mean: 


ASA - SSL VPN with Certificate Authentication


I need to configure SSL VPN with certificate authentication in ASA but I am having some issues to find a detailed guide about how to do it. As far I know, I just need to specify Certificate as Authentication Method in the Profile, install the certificate in the clitn PC (each user has his own certificate) and install the root certificate in the ASA (Certificates are provided by Comodo CA). Am I missing something else? Thank you very much.

Best Regards.

VIP Mentor

Which CA issued the certificates to the users, an Internal Windows CA?
If so you will need to import that CA certificate into the ASA to ensure trust between the certificate used by the client for authentication.



No, it is an external CA. So, I just need to upload the root and intermediate CA certificates in the "CA Certificates" inside Certificate Management, right? Thank you!

Best Regards.


The ASA needs to trust the certificate presented by the users, so yes create a trustpoint on the ASA with the external CA certificate chain.

Ok thank you very much. On the other hand, is there a way to specify which trustpoint is associated with the Profile? I mean, if I have 5 profiles which allow access to different users and give different access, can I configure that users with a specific Certificate are the ones which will be authenticated in the pecific profile.

I want to avoid that users with trusted certificates can access all the profiles which require Certificate Authentication. Thanks!

EDIT: I have found this:

My question now is that what if I have different Certificate issuers? Should I have to specify different Mapping criteria for each certificate? How is the behavior if I have 2 different matching criteria? Thanks.


Match on a unique attribute, e.g the certificate issuer, then creating different rules, each rule would map to a different tunnel-group.


This example below demonstates what you need to configure, it matches on OU (organisation unit) rather than issuer. Just create multiple rules for each mapping you require.

Start your free week with CBT Nuggets. this video, Keith Barker covers what a Connection Profile is in regards to the ASA. He'll dem...

Yes, I have seen that video but I am still confused. I mean, what happens if I have two different Root certificates, and I want that users with certificate A connect to the Profile A while users with certificate B connect to the Profile B. I cannot see the relation between rules and mapping criteria.

If I create two different mapping criteria, how can I ensure that I meet the specifications commented before? I cannot see anything when creating the rule where you can specify which map criteria use specifically. Thanks.

Content for Community-Ad