In ASDM you go to Certificate Management and add a new trustpoint. There you upload the PFX, specify the PFX-password and the certificate gets imported. The standby ASA will directly receive this new certificate from the active one. ... View more

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices. ... View more

If you really need to have DNS-services, there is only the IOS router in the cisco portfolio. If you can live without, my preferences would be: Cisco Meraki MX on HQ and the branches. These are most easily to setup and the VPN will work instantly. Cisco ASAs on all sites with manually configured route-based VPN. This will give you also a good firewall for the branches. IOS routers on all sites. Maximum flexibility but the firewall implementation is most complex compared to the other solutions. Personally I don't like Firepower Thread Defense as you always need two IPs reachable from your headquarter. One for the Data-Plane and one for management. That can get quite tricky to setup and is a more advanced topic. ... View more

Yes, that will work. The setup is quite straight-forward: You have multiple trust points that contain the different certificates Your tunnel-groups are configured as usual with different group-urls You configure the used FQDNs to use different trust points. tunnel-group VPN-GROUP1 webvpn-attributes group-url https://vpn.example.com enable ... tunnel-group VPN-GROUP2 webvpn-attributes group-url https://vpn.example.net enable ... ssl trust-point VPN-NET domain vpn.example.net ssl trust-point VPN-COM domain vpn.example.com ... View more