Solved: 2 certificates on a single interface which links to 2 different profiles

Stuart-ITGL · ‎09-13-2019

A client of mine is wanting to know if it is possible to have 2 different Certificates installed on his ASA which are linked to different Anyconnect profiles - so if a user wanted connect to Profile A it would use Cert A and Profile B would use Cert B

Is this possible and, if so, how would you set it up to use that?

TIA

Karsten Iwen · ‎09-13-2019

Yes, that will work. The setup is quite straight-forward:

You have multiple trust points that contain the different certificates
Your tunnel-groups are configured as usual with different group-urls
You configure the used FQDNs to use different trust points.

tunnel-group VPN-GROUP1 webvpn-attributes
 group-url https://vpn.example.com enable
...
tunnel-group VPN-GROUP2 webvpn-attributes
 group-url https://vpn.example.net enable
...
ssl trust-point VPN-NET domain vpn.example.net
ssl trust-point VPN-COM domain vpn.example.com

View solution in original post

Karsten Iwen · ‎09-13-2019

Yes, that will work. The setup is quite straight-forward:

You have multiple trust points that contain the different certificates
Your tunnel-groups are configured as usual with different group-urls
You configure the used FQDNs to use different trust points.

tunnel-group VPN-GROUP1 webvpn-attributes
 group-url https://vpn.example.com enable
...
tunnel-group VPN-GROUP2 webvpn-attributes
 group-url https://vpn.example.net enable
...
ssl trust-point VPN-NET domain vpn.example.net
ssl trust-point VPN-COM domain vpn.example.com