- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2011 09:28 PM - edited 03-11-2019 12:49 PM
Hi,
We need to generate a CSR in a ASA with a SAN. Is it possible to do this? We do not want to use a wildcard (*)
Thank you very much.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2011 09:11 AM
Hi Marco,
Well no, just Now I got your question... Im a bit slow today. You want to include SAN on a CSR, that is not possible yet as per this bug CSCso70867
Symptom:
The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.
More info
Sorry :S
Cheers
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2011 06:57 AM
Hola Marco!
I am sorry for my ignorance, would you please explain me (if its alright) what a CSR is? I am not pretty sure what it is. If there is something that can be done on the ASA firewall I would be able to help you.
Cheers
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2011 08:12 AM
Thank you Mike.
You can install a 3rd Party Certificate in the ASA so it could be used for SSL VPN deployments. The first thing you have to do is to generate a Certificate Signing Request (CSR) in the ASA, and then you have to submit it to you prefered =) Certification Authority (for example Verisign) and they are going to give you your certificate so you can import it into the ASA.
When you generate the CSR you specify a Comon Name (CN) for example sslvpn.cisco.com so users have to type this name in their browsers. However if you have in your DNS the following:
sslvpn.cisco.com 192.168.1.100
secureaccess.cisco.com 192.168.1.100
The user´s browser can resolve both domains to the same IP Address, but if the users type secureaccess.cisco.com, the browser is going to complain because the certificate says that this certificate belongs to sslvpn.cisco.com, not secureaccess.cisco.com.
To address this issue you can define a Subject Altenative Name (SAN) in your CSR, so users can use ither sslvpn.cisco.com or alternatively secureaccess.cisco.com
I hope this explanation was better =)
Thank you again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2011 08:31 AM
Hi Marco,
Now I get it, yes you can do that with the ASA firewall, here is how:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
It has ASDM and CLI.
Has been a long time since I dont configure certificates on the ASA firewall, I still had the link thou.
Hope it helps
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2011 09:11 AM
Hi Marco,
Well no, just Now I got your question... Im a bit slow today. You want to include SAN on a CSR, that is not possible yet as per this bug CSCso70867
Symptom:
The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.
More info
Sorry :S
Cheers
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2011 09:38 AM
UPS!!!
Thank you Mike. I am going to try to generate the CSR in OpenSSL and see if the certificate works (but fist I have to understand how to use OpenSSL)
=S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2011 05:14 AM
Hi,
I have used certificates with SAN field in ASA many times, so I can confirm that this works. However I did not generate the certificate on the ASA, it was generated by another server.
