Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
2
Helpful
3
Replies

ASA anyconnect vpn certification renew

Rock29
Level 1
Level 1

‎06-19-2023 09:22 PM

Hello Experts,

I'm new with cisco ASA. Need to renew the AnyConnect certification. I have attached the flow diagram. Can anyone please help me and share the process? How i can plan it and upgrade the anyconnect certificate with no downtime. 

Moreover, please clarify my below queries. 

As the URL hosted on F5 and backend urls are different that are mapped with firewall public IP. Do we need to renew the certificate on F5 and Firewalls. I mean on all the devices.  

We have firewall on HA for DC level redundancy. So do we need to renew the certificate on both the pairs. 

As user are connecting to xyz.vpn.com and backend URLs are different. So do we need to request CA to share signed certificate for xyz.vpn.com. 

 

 

 

anyconnect.JPG

Labels:
0 Helpful
3 Replies 3

Jeet Kumar
Cisco Employee
Cisco Employee

‎06-20-2023 03:43 AM

There are multiple methods that can be used to set up ASAs with SSL certificates for a VPN Load Balancing environment.

  • Use a single Unified Communications/Multiple Domains Certificate (UCC) which has the load-balancing FQDN as the DN and each of the ASA FQDNs as a separate Subject Alternative Name (SAN). There are several well known CAs like GoDaddy, Entrust, Comodo and others that support such certificates. When you choose this method, it is important to remember that the ASA currently does not support the creation of a CSR with multiple SAN fields. This has been documented in the enhancement Cisco bug ID CSCso70867 . In this case there are two options to generate the CSR 
    • Via the CLI or ASDM. When the CSR is submitted to the CA, add in the multiple SANs on the CA portal itself. 
    • Use OpenSSL to generate the CSR and include the multiple SANs in the openssl.cnf file.
    • Once the CSR has been submitted to the CA and the certificate generated, import this PEM certificate to the ASA that generated the CSR. Once done, export and import this certificate in the PKCS12 format onto the other member ASAs.
       
  • Use a Wildcard certificate. In the case a CSR is be generated either on the CA or with OpenSSL where the FQDN is on the form of *.domain.com. Once the CSR has been submitted to the CA and the certificate generated, import the PKCS12 certificate to all the ASAs in the cluster. 
  • Use a separate certificate for each of the member ASAs and the for the load-balancing FQDN. This is the least effective solution. The certificate for the VPN Loadbalancing FQDN is created on one ASA and exported and imported as a PKCS12 certificate onto the other ASAs.

 

There is no need to manually copy the certificates from the Primary to Secondary ASA as the certificates are synced between the ASAs as long as Stateful Failover is configured. If on initial setup of failover, the certificates are not seen on the Standby device, issue the command write standby in order to force a sync.

Aref Alsouqi
VIP
VIP

‎06-20-2023 06:43 AM

I think you would need to renew the cert on the firewalls as well as the F5. However, from the F5 perspective, I think it can be any trusted third party certificate since that would only be used to proxy the traffic back to the firewalls.

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Aref Alsouqi

‎06-21-2023 02:03 AM

I agree with Aref Alsouqi. while switching from old certificate to new certificate (as long as the certificate in not expired) there will be no downtime to anyconnect users.

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents