Verisign SSL Cert on ASA Active/Standby failover pair

neallewis · ‎05-10-2007

I've a question about the Verisign SSL certificate needed for an ASA Active/Standby failover pair. The failover pair will terminate Webvpns and requires a Verisign cert for correct user experience.

Do i need to purchase one certificate and install it on the primary device? is this replicated to the standby device?

Or do i purchase one certificate with the "multiple servers" license option?

Or do i purchase two certificate, once for each firewall of the pair? if this is the case do i manually add each cert via console?

Verisign pre-sales support have given me two different answers.

Websupport have said that just one certificate is needed. Telephone support have said that two seperate certs are needed, one for each box, and the OU must be different in each case.

I tend to believe the telephone support, but want confirmation before the purchase?

many thanks in advance,

Neal.

aghaznavi · ‎05-16-2007

I think that you will need two different certificates for the pair of ASA's. I dont think that the certificate information is duplicated in the failover pair. The certificates can be installed using console or using ASDM. Following link may help you.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807c2151.shtml

neallewis · ‎05-17-2007

I went to Verisign support for their answer and got two different versions, one person said one cert it needed for active/standby and the other person said that two certs would be needed. I contacted them again and they recommended that we buy one, and try it, and if it didnt work, buy the second cert, which i did.

Anyway, I got the cert installed and it appears to be replicated. When i fail the pair over it continues to use the SSL cert. So my view is that the cert is shared between the two boxes, as is the RSA key pair. Break the pair and the same keys are on both boxes. generate a new key on the standby, connect the pair and the primary key gets replicated, overwriting the standby key (i tested this before the SSL cert went on).

My pre-sales consultant has previosuly contacted Cisco for their view on this, and they said the RSA key pairs are not shared and two certs would be required, one for each box. but it seems to work with one for me. i'd be interested to get the official Cisco response here?

Thanks for your response anyway. The link makes no reference to failover pairs, and i've not found any other Cisco documentation that does refer to SSL certs for Webvpn and failover.

I'd be interested to get the official Cisco response here?

cheers,

Neal.

tgrundbacher · ‎08-23-2007

Thank you Neal for your research in this matter. I'm currently dealing with the exact same question and haven't found an official answer to it from Cisco either.

Luckily, you've made successful tests for yourself.

To Cisco: Can you please give a statement about it?

Thanks

Toni

rickv2010 · ‎03-29-2011

Hello,

I can vouch for the fact the you will only need to purchase a single SSL cert from Verisign for an ASA active/standby failover pair v8.4(1). I did however run into some trouble with replication of the cert to the standby unit and needed to manually select/apply it to outside interface via ASDM. I'm not sure if this is a bug or error on my part but it is now working ok. Unfortunately little documentation to be had on this subject.

Rick