Re: ASA Wildcard Certificate Update

zekebash · ‎01-18-2022

Hello,

Our wildcard certificate on our prod ASAs (VPN headends/gateways) will expire in a month or so.

When reviewing the status of the wildcard cert in ASDM by going to Certificate Management\Identity Certificates, the "Expiry Date" shows that it will expire in March 29 2022. However, when reviewing the Intermediate and Root Certificates by going to Certificate Management\CA Certificates, the "Expiry Date" shows that both will expire in 2037.

My question is, what is the best way to update the wildcard certificate? Do I need to update all (wildcard, intermediate, and root?) even though the intermediate and root won't expire until 2037?

Thanks in advance.

\

Best, ~zK

Rob Ingram · ‎01-18-2022

@zekebash you certainly need to update the wildcard identity certificate. It depends on if the same Certificate Authority issues the new wildcard certificate and if the Intermediate and Root certificates are the same. Normally you'd create an identity certificate and add this to the same trustpoint as the CA certificates. The Root CA certificate and any other intermediate CA certificates could be installed in new trustpoints however.

Here is a user guide to generate and import signed certificates.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc11

Mike.Cifelli · ‎01-18-2022

My question is, what is the best way to update the wildcard certificate? Do I need to update all (wildcard, intermediate, and root?) even though the intermediate and root won't expire until 2037?

-If you are enrolling for an identity certificate from the same CA, then the answer would be no you would not have to update the intermediate and root. Few important things to note: A trustpoint is a container that is responsible for holding your certificate. Think of the trustpoint essentially as your trust policy which defines the following: which CA cert to reference, which CA does the trustpoint enroll to, how enrollment is handled, and how the certificate is validated. You will need to generate a new csr to obtain the new identity cert from the respective CA. Im assuming that you will manually import and enroll which is totally fine and easy. Once completed make sure that you bind the new certificate to services in use, such as RAVPN on outside interface, etc.

See here for additional info: ASA 8.x: Renew and Install the SSL Certificate with ASDM - Cisco

HTH!

zekebash · ‎01-18-2022

Thanks for the info. This is really helpful.

- We are using a different CA

- One of our system admins. went through the process of obtaining the new wildcard cert from the new CA

- My assignment is to update the wildcard cert on the prod ASAs (VPN GWs)

- Questions:

-- Since we are using a new CA; do I need to create new "Intermediate & Root" certificates?

-- If so, once I have created the new intermediate & root certs; do I simply create a new "Identity Certificate" by importing the new wildcard cert, which will be provided to me by the system admin who obtained the new wildcard cert from the new CA?

I am new to this cert configuration on the ASAs.

Thanks in advance.

\

Best, ~zK

Rob Ingram · ‎01-18-2022

@zekebash if the wildcard certificate has already been created by the sysadmin, you don't create a CSR on the ASA. You need to bundle the wildcard identity certificate and root CA certificates etc in a PKCS12 file, this can then be imported to the ASA.