Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
2
Replies

ASA VPN SSL 8.4.x : Using differents certificates by connection profile

Go to solution
jfbesnardeau
Level 1
Level 1

‎12-06-2011 01:41 AM

I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?

My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.

Thanks

Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎12-08-2011 03:10 PM

Hi Jeff,

no, this is not possible (unless the 2  certificates are used on 2 different interfaces, but I guess that that  is not what you want) - the reason for this is that the ASA needs to  send a certificate to the client/browser when the SSL connection  initiates, so before it gets the HTTP GET request (which contains the  Host header indicating which hostname you are connecting to). So at that  time the ASA would not yet know which of the 2 certs to send.

However, there is an alternative that you may find  useful: you can create/request a single certificate that contains both  hostnames (there can be only one in the Subject/DN, but you can have  multiple SAN - Subject Alternate Name). There may be an additional cost  associated with this if you are requesting the cert from a 3rd party CA.

To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.

e.g.

tunnel-group foo webvpn-attributes

  group-url https://vpn.itcom.fr/

(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).

This  part should work regardless of the certificate - you'll just get a  certificate warning if the hostname you connect to is not in the ASA  cert.

hth

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎12-08-2011 03:10 PM

Hi Jeff,

no, this is not possible (unless the 2  certificates are used on 2 different interfaces, but I guess that that  is not what you want) - the reason for this is that the ASA needs to  send a certificate to the client/browser when the SSL connection  initiates, so before it gets the HTTP GET request (which contains the  Host header indicating which hostname you are connecting to). So at that  time the ASA would not yet know which of the 2 certs to send.

However, there is an alternative that you may find  useful: you can create/request a single certificate that contains both  hostnames (there can be only one in the Subject/DN, but you can have  multiple SAN - Subject Alternate Name). There may be an additional cost  associated with this if you are requesting the cert from a 3rd party CA.

To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.

e.g.

tunnel-group foo webvpn-attributes

  group-url https://vpn.itcom.fr/

(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).

This  part should work regardless of the certificate - you'll just get a  certificate warning if the hostname you connect to is not in the ASA  cert.

hth

Herbert

0 Helpful

Go to solution
jfbesnardeau
Level 1
Level 1
In response to Herbert Baerten

‎12-09-2011 01:09 AM

Hi Herbert,

Thanks a lot for this confirmation and for the workaround.

Have a nice day.

Jeff

0 Helpful
Customers Also Viewed These Support Documents