how to installed renewed cert for anyconnect on the ASA

gavin han · ‎10-17-2012

Hi,

I've to renew cert for anyconnect on the ASA. Do I have to generate CSR for new cert from the same trustpoint as the current cert that's expiring soon?

Can we have 2 identity certs installed?

a. current cert (1024 bit key) that expires soon.

b. new cert (2048 bit key) that will be 2 year cert.

how will the cert be use? Will it use [a.] cert and then it will use [b.] cert once [a.] cert expires?

If we install [b.] cert than will we have to update cert on client laptops that use anyconnect?

I'm a little new to certificate base authentication. could you advise documentation that shows how does cert based authentication works?

Thanks All.

Javier Portuguez · ‎10-17-2012

Hi Gavin,

a. Yes you can have two ID certs, as long as you install the new one on a different Trustpoint.

b. It actually depends if both are the same exact certificate, then most likely the ASA will use the oldest one.

Is this for AnyConnect certificate authentication? If so, the only certificate that the ASA needs to have is the Root from the same CA as the one the clients got the certificate from.

In case the ID is about to expire on the client side, then you need to renew it, if the Root certificate is about to expire on the ASA, then you need to renew it.

For this to work you need:

1- The Root certificate from the CA installed on the ASA.

2- Each client must have an ID cert from the same CA.

3- Define certificate authentication under the webvpn attributes.

Please check this out:

AnyConnect Certificate Based Authentication

Let me know if you have any further questions.

Portu.

Please rate any helpful posts.