Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
3
Replies

Wildcard SSL cert on ASA

S891
Level 2
Level 2

‎08-23-2015 02:31 AM - edited ‎03-11-2019 11:28 PM

Hi,

I have ASA Firewall that will host both our Anyconnect VPN and clientless SSL Webvpn. I am planning to install public CA cert. It will require two certs , one for each vpn. The ASA hostname will not be just a regular firewall hostname. I am cautious as clients browsers or anyconnect client will prompt error message that SSL cert does not match hostname. 

So the ASA hostname will be ASA1.abcd.com, the anyconnect cert will have CN name vpn.abcd.com, the ssl webvpn cert will have CN name webvpn.abcd.com. This may present a problem as I stated above as the CN names will not match hostname. 

 

What are possible solutions? I have read a few things about Wildcard ssl certificate. A Wildcard SSL certificate *.abcd.com may  possibly work???

Any suggestions? 

 

Thanks

 

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎08-23-2015 08:46 AM

There is no problem for the VPN when the fqdn doesn't match the hostname.

For your scenario, there are multiple options:

  1. Use a certificate with SANs (subject alternative names). These certificates can have multiple fqdns. This is probably the cheapest solution.
  2. Use a wildcard certificate as you mentioned above. With some vendors, these are more expensive then certificates with SANs.
  3. If you want to use multiple certificates as mentioned at the beginning of your post, you need a fairly new release. Not sure which one it was, but in 9.3 or 9.4 you van have different certificates on one interface for different fqdns.
0 Helpful

S891
Level 2
Level 2
In response to Karsten Iwen

‎08-23-2015 11:16 AM

Thanks Karsten. When you say "there is no problem for the VPN when the fqdn doesn't match the hostname" do you mean after applying these options, or generally there is no issue if cert CN name does not match the hostname. I have seen the problem happening many times and it appears as a warning on client side. 

I think option 1 or 2  is the simplest and doable. With option 2 I can have multiple CN names including VPN's and hostname's.  So in my example from above there will be CN Name : CN1: ASA1.abcd.com, the anyconnect cert will have CN2: vpn.abcd.com, the ssl webvpn cert will have CN3: webvpn.abcd.com. 

 

Thank

0 Helpful

Karsten Iwen
VIP
VIP
In response to S891

‎08-23-2015 11:56 PM

 I have seen the problem happening many times and it appears as a warning on client side.

What kind of warning do you see? If you have a different name in the certificate and you access the VPN with the name in the certificate, there shouldn't be any warning.

So in my example from above

Both in case 1) and 2) there will only be one certificate, but that can be used with more than one name.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card