12-06-2011 01:41 AM
I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?
My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.
Thanks
Jeff
Solved! Go to Solution.
12-08-2011 03:10 PM
Hi Jeff,
no, this is not possible (unless the 2 certificates are used on 2 different interfaces, but I guess that that is not what you want) - the reason for this is that the ASA needs to send a certificate to the client/browser when the SSL connection initiates, so before it gets the HTTP GET request (which contains the Host header indicating which hostname you are connecting to). So at that time the ASA would not yet know which of the 2 certs to send.
However, there is an alternative that you may find useful: you can create/request a single certificate that contains both hostnames (there can be only one in the Subject/DN, but you can have multiple SAN - Subject Alternate Name). There may be an additional cost associated with this if you are requesting the cert from a 3rd party CA.
To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.
e.g.
tunnel-group foo webvpn-attributes
group-url https://vpn.itcom.fr/
(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).
This part should work regardless of the certificate - you'll just get a certificate warning if the hostname you connect to is not in the ASA cert.
hth
Herbert
12-08-2011 03:10 PM
Hi Jeff,
no, this is not possible (unless the 2 certificates are used on 2 different interfaces, but I guess that that is not what you want) - the reason for this is that the ASA needs to send a certificate to the client/browser when the SSL connection initiates, so before it gets the HTTP GET request (which contains the Host header indicating which hostname you are connecting to). So at that time the ASA would not yet know which of the 2 certs to send.
However, there is an alternative that you may find useful: you can create/request a single certificate that contains both hostnames (there can be only one in the Subject/DN, but you can have multiple SAN - Subject Alternate Name). There may be an additional cost associated with this if you are requesting the cert from a 3rd party CA.
To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.
e.g.
tunnel-group foo webvpn-attributes
group-url https://vpn.itcom.fr/
(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).
This part should work regardless of the certificate - you'll just get a certificate warning if the hostname you connect to is not in the ASA cert.
hth
Herbert
12-09-2011 01:09 AM
Hi Herbert,
Thanks a lot for this confirmation and for the workaround.
Have a nice day.
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide