Certificate with SAN

fatalXerror · ‎10-08-2018

Hi guys,

Just to double check, it is possible to use internal certificate with SAN attribute to be map to my outside interface right for my SSL VPN so that any of my device's as long as they are accessing *.mycompany.com will not show any certificate warning by AnyConnect?

Thanks

Rahul Govindan · ‎10-09-2018

You can use an internal certificate with the SAN of your outside interface FQDN. But you have to remember that your internal CA generated certificate is not inherently trusted by your external users. In short, if your ASA/FTD certificate fulfills the following 4 requirements, users should not see an error:

1) Date&Time is between issued and expired date on cert.

2) Issued by CA who is trusted by client. You would need to import the internal CA certificate in the trusted root/intermediate CA store to achieve this.

3) FQDN of the VPN url matches the SAN or subject name CN field.

4) Certificate has the right key usage/extended Key usage - EKU should have Server authentication for the ASA/FTD certificate.

fatalXerror · ‎10-09-2018

No issues about that because the users/endpoints who will be connecting is the corporate issues endpoints also which means it is trusted also by the internal CA.

Technically, the ASA supports the SAN certificate? The reason why I want to use is that I have 2x domains (vpn.companyX.com and vpn.companyY.com) which was inherited from the old VPN box but as we all know we can only map 1x trustpoint in 1x interface of the ASA. What I think to resolve this is by using SAN.

Rahul Govindan · ‎10-09-2018

Yes, if this is an internal CA that you control, you can add multiple SAN fields to your certificate and add it to the ASA. The ASA cannot generate a CSR with multiple SAN, but you can definitely import a pkcs12 cert for the ASA (issued by CA directly and includes cert+key) that has the 2 FQDN's that you have on the outside.

You can use openssl or other tools (I use a tool called xca) to generate CSR's outside of the ASA. Once you receive the cert, you can use the same tool to combine the cert and key together and export it out as a pkcs12/pfx file. This can then be imported on the ASA.

fatalXerror · ‎10-09-2018

Hi @Rahul Govindan, sorry i am new with this method and I cannot find any tutorial which relates to ASA. So how will the CSR knows that this CSR came from the ASA? Thanks

fatalXerror · ‎11-20-2018

Hi @Rahul Govindan, it seems that we will be going for this method for our deployment.

Based on what you said before, I should generate the CSR using XCA tool then I will give the CSR to our Internal CA Admin to generate the certificate right?

Once I got the certificate, I will bind the certificate to the private key that I got from the XCA. am I correct?

Thanks for the help.