Solved: Subject Alternative Name (SAN) in CSR for a ASA

marcohernandez · ‎02-11-2011

Hi,

We need to generate a CSR in a ASA with a SAN. Is it possible to do this? We do not want to use a wildcard (*)

Thank you very much.

Maykol Rojas · ‎02-12-2011

Hi Marco,

Well no, just Now I got your question... Im a bit slow today. You want to include SAN on a CSR, that is not possible yet as per this bug CSCso70867

Symptom:
The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.

More info

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso70867

Sorry :S

Cheers

Mike

View solution in original post

Maykol Rojas · ‎02-12-2011

Hola Marco!

I am sorry for my ignorance, would you please explain me (if its alright) what a CSR is? I am not pretty sure what it is. If there is something that can be done on the ASA firewall I would be able to help you.

Cheers

Mike

marcohernandez · ‎02-12-2011

Thank you Mike.

You can install a 3rd Party Certificate in the ASA so it could be used for SSL VPN deployments. The first thing you have to do is to generate a Certificate Signing Request (CSR) in the ASA, and then you have to submit it to you prefered =) Certification Authority (for example Verisign) and they are going to give you your certificate so you can import it into the ASA.

When you generate the CSR you specify a Comon Name (CN) for example sslvpn.cisco.com so users have to type this name in their browsers. However if you have in your DNS the following:

sslvpn.cisco.com 192.168.1.100

secureaccess.cisco.com 192.168.1.100

The user´s browser can resolve both domains to the same IP Address, but if the users type secureaccess.cisco.com, the browser is going to complain because the certificate says that this certificate belongs to sslvpn.cisco.com, not secureaccess.cisco.com.

To address this issue you can define a Subject Altenative Name (SAN) in your CSR, so users can use ither sslvpn.cisco.com or alternatively secureaccess.cisco.com

I hope this explanation was better =)

Thank you again

Maykol Rojas · ‎02-12-2011

Hi Marco,

Now I get it, yes you can do that with the ASA firewall, here is how:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

It has ASDM and CLI.

Has been a long time since I dont configure certificates on the ASA firewall, I still had the link thou.

Hope it helps

Mike

Maykol Rojas · ‎02-12-2011

Hi Marco,

Well no, just Now I got your question... Im a bit slow today. You want to include SAN on a CSR, that is not possible yet as per this bug CSCso70867

Symptom:
The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.

More info

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso70867

Sorry :S

Cheers

Mike

marcohernandez · ‎02-12-2011

UPS!!!

Thank you Mike. I am going to try to generate the CSR in OpenSSL and see if the certificate works (but fist I have to understand how to use OpenSSL)

=S

Erik Ingeberg · ‎02-14-2011

Hi,

I have used certificates with SAN field in ASA many times, so I can confirm that this works. However I did not generate the certificate on the ASA, it was generated by another server.