Re: Renewal of SSL VPN Gateway certificate

sambillings459 · ‎03-01-2018

Hello Experts,

I have one SSL VPN gateway in High availability pair , I need to renew SSL certificate, how do I need to perform that, I understand I need to gather all the information (cert from go daddy and generating CSR on ASA and configuring trust point).

How can I perform the import and export of certificate when I have primary and secondary firewall.

If I do it on Primary will it be replicated to secondary firewall.

I have gone through many documents on google , but I could not get the clear picture.

Appreciate if anyone can help me with the explanation for renewal of SSL certificate on primary/secondary ASA, what commands do I need to run to make that available both on Primary and secondary without causing a problem to end user while connecting.

Appreciate any quick responses,

Thanks

SAM

Rahul Govindan · ‎03-01-2018

Certificates are automatically synced between the Active and Standby Failover units when you save the config on the Active unit after import.

So the renewal process should look like:

1) Generate new CSR on the Active unit

2) Get CA to issue a new cert using CSR

3) Import newly generated into the new trustpoint

4) Change "ssl-trustpoint" on the WAN interface to the new trustpoint.

5) Save.

I would follow this guide for ssl certificate install and renewal:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

sambillings459 · ‎03-04-2018

Rahul,

Thanks alot mate for your response, really appreciate that.

so you mean to say that, no configuration is required at all on standby device.(Configuration only needs to be done on Active device)

but what if we have devices in cluster then I guess we may need to add some configuration on the other devices participating in cluster.

can you please Shed some light on this.

Thanks

SAM