Solved: ASA5520 Anyconnect replacing identity certificate

Dean Crook · ‎08-20-2012

Hopefully someone can give me a quick answer to my query, we currently have a remote access asa setup using Anyconnect with self signed certificate, and several users in the certificate database as we are using radius and certificate for authentication.

I want to purchase and obtain a trusted CA signed certificate (such as Verisign) and replace the current self signed cert.

My question is will I have to reset the current CA server of the ASA and replace the certificate user database? ie start from scratch.

Karsten Iwen · ‎08-20-2012

No, you don't have to start from scratch. It's quite common to have the ASA-identity-cert from a public CA, but the user-certs are from a private CA. With your change you achieve exactly this scenario.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎08-20-2012

No, you don't have to start from scratch. It's quite common to have the ASA-identity-cert from a public CA, but the user-certs are from a private CA. With your change you achieve exactly this scenario.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Dean Crook · ‎08-20-2012

Thanks that makes sense