cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
993
Views
17
Helpful
5
Replies

SSLVPN 3rd Party Certificate

jpl861
Level 4
Level 4

Hi,

We are in the process of deploying SSLVPN for our company. We already bought two ASA5510 with SSLVPN licenses on both. I am going to install the firewalls into two seperate data centers to provide redundancy. Two different external IPs but we'll publish it with a single URL so we can load-balance. My question is, do we need to purchase two SSL Certificates? Or should we just purchase one and export then import it on the other firewall?

Your thoughts? Thanks in advance.

John

5 Replies 5

danmoren
Level 1
Level 1

Hello John,

You will be able to buy one SSL certificate and then install it in both ASA's.

My suggestions here would be to generate the CSR from one of the ASA's and import the certificate there.

Then, export the certificate from that ASA and import it into the secondary as well.

When you export it from the, let's say, "main ASA" you just need to export it in a PKCS12 format for it to include the private and public keys of the certificate.

In the "secondary ASA", you will need to import it as a PKCS12 file as well.

Let me know if this helps you.

Daniel Moreno

Please rate any posts you find useful

Hi Daniel,

Is this the procedure for the export and import?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml#copycert

Thanks,

John

John,

Yes, those are the commmands.

It would also be a good idea to look at the feedback that Javier posted since it is very detailed.

Let us know if you have any more questions.

Daniel Moreno

Please rate any posts you find useful

I agree with Daniel (5 stars)

Thanks.

Hi John,

There are different ways to get this to work with VPN load-balancing.

However, we need to have a good understanding of how this is supposed to work.

When the Master receives a new SSL connection, based on the load-balancing algorithm, it makes the decision to whether redirect the session to another ASA or accept the connection.

The SSL connection will point to the Cluster URL, so you need a certificate for the cluster including the cluster URL in the CN attribute field.

We must keep in mind, that the cluster does not take the connection, but a specific ASA does, so we also need a valid certificate for each ASA.

Now, to solve this issue, I would recommend to you to check on the following link and choose the best option for you:

ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide

Keep me posted.

Please rate any post you find useful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: