cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5956
Views
5
Helpful
28
Replies

Cisco AnyConnect SSL certificate help on ASA

Andy White
Level 3
Level 3
Hello,

We have 2 ASA 5520s in Active/Standby on 9.x IOS

We have many users that use Windows 7/8 tablets and the Cisco Anyconnect SSL VPN client. 
They connect to hostname 'vpn.company.co.uk' (our ASA) and when they connect the VPN
connection is 'Trusted' as our SSL certificate on the ASAs (Active/Standby) has
vpn.company.co.uk in it.

We have now changed our company name and I have been asked 2 things.

1.) To get another certificate generated with help from Cisco (webex?) that includes
'vpn.company.co.uk' and the new company name 'vpn.newcompany.com' (FDNS entries are
already working, and can be pinged from the internet, both FQDNs go to our ASAs public IP).  Having both FQDNs
we hope it will not interfere with our current users experience and can connect to either
vpn.company.co.uk or vpn.newcompany.com as 'Trusted' with no additional
configuration needed to the clients.

What type of cert do I need to use (confused totally)

2.) Once the new certificate is working and users are still using vpn.company.co.uk
(old name), we would like to replace this with vpn.newcompany.com, how can we
seamlessly do this?  Will the user connect and download te new xml file?  Please provide a
solution.

I am trying to plan this to happen over the new few weeks, so it is not urgent, but need
to make a start on what is involved.

Thanks

28 Replies 28

Marvin Rhoads
Hall of Fame
Hall of Fame

An ASA can only have a single certificate associated with the outside interface for remote access VPN. Unless you can you can get your CA to issue a multi-domain certificate, you have to choose one or the other.

As far as changing over, every time you connect to an ASA via AnyConnect the logon process checks for updates to the profile and downloads it if a new version is available.

Hello Andy,

In my understanding, whilst having the company's name "vpn.company.co.uk", you generated a certificate request a obtained an SSL certificate from a known CA.

Now, the name of the company will change (or has).

Previously the CN in the certificate was "vpn.company.co.uk", so users connecting to "vpn.company.co.uk" did not see any certificates errors.

To avoid certificate errors after changing the DNS, you should request a new SSL certificate but this time include the new name of the company in the CN field. So, the new certificate will include the correct DNS and all should work fine.

To have your users connect to the new domain, I would recommend the following:

1- Modify the XML profile and add a second server to the "server's list". This new entry will be "vpn.newcompany.com". So your users, firstly connect to the existing domain and download the new profile which now includes the two servers in the drop down menu.

2- Once the transition is done, you educate your users about the new SSL server and eventually edit the XML profile to remove the old connection entry.

Let me know if this is clear.

HTH.

- Javier

Thanks, the main goal then is to be able to have a cert that has the new and old FQDN, so when I generate the new cert it should let me use 2?

Not really.

You may consider the option to coordinate and install the new certificate at the time that the ISP updates the DNS record.

That may save you time and extra efforts.

I see.  The 2 FQDNs new and old are already pingable, so if I try and connect with the new FQDN I get a cert error (red warning sign), but I can get the Anyconnect client to ignore which isn't ideal.

This is what Cisco said though:

— If you need multi-domain SSL, we will need to use SAN attribute to add the second fqdn. Unortunately the ASA does not support the inclusion of SAN attribute in the CSR (tracked by bug  CSCso70867    ASA doesn't support SAN attributes for the enrollment request). When generating CSR from ASA, only one fqdn can in included.The workaround for this is to use OpenSSL to generate CSR and keys. Once the certificate is received from CA, it should be combined with the key in OpenSSL to create pkcs12 file. After the file is created, it should be imported into ASA. If its ok to use only the new fqdn, then we can generate the CSR from the ASA itself.

Wondered what your thought.

Wj

Yes - either the Subject Alternative Name (SAN) or multi-domain certificate. In both cases, it's still only a single certificate representing both your old and new company names on the interface.

Depending on the number and composition of your remote access user population I'd choose between the more-complex-for-IT fancy certificate option vs. just cutting everyone over to the new company name and using a simple root-CA-issued certificate.

Hi @Marvin Rhoads, I have issue like this now. 

what do you mean by multi-domain cert versus the SAN certificate because for it seems to be the same? and what cert is supported by the ASA?

Thanks

The ASA supports standard X.509 TLS/SSL certificates. 

 

Multi-domain and SAN are synonyms in this context. Basically the CA says the certificate is good for more than one FQDN and uses the Subject Alternative Name (SAN) field in the certificate to list the FQDNs for which it is valid.

hi @Marvin Rhoads thanks for the feedback.

So I can generate CSR with multiple CN attribute (multi-domain) and/or SAN attribute using the ASA nowadays? Thanks

No. Generating a CSR with SAN is not supported on the ASA. You need to generate it off-box.

 

openssl is one way. I use the open source XCA tool as a nice alternative. https://hohnstaedt.de/xca/

 

Once you have the issued certificate, combine it with the private key in a PKCS12 file. You can then import it into the ASA as an identity certificate.

hi @Marvin Rhoads,

Oh ok but I am playing around my ASDM and found out that I can put mutiple CN attribute when I tried to generate CSR like in the attached picture.

Will it do the trick?

Thanks

 

Interesting - I hadn't realized you could put in the CN twice with different values.

 

I did it on mine just for kicks. I then submitted it as a CSR to my Windows Server 2016 CA. It did issue a certificate with two CNs (but no SAN). I'd be interested to see how it works with a browser or AnyConnect client given those certificate attributes.

 

I'd still recommend using an external tool and the SAN attribute.

@Marvin Rhoads, it is a good thing you tested it with your lab :) please let us know if you pursue your testing about it.

Anyway, in terms of the SAN, if you would mind if you can give me like step by step procedure to it using the XCA tool? thanks

The XCA tool is pretty self-explanatory.

 

Just go under the Certificate Signing Requests, New Request. Fill in the Subject page with your info. Be sure to generate a new key that will be used only for this CSR (and the eventual issued certificate). Go to the Extensions tab and add all of your SANs as a comma-separated list under the Subject Alternative Name field. Then click ok and export the CSR for signing by your CA.

 

Import the signed certificate and confirm the fields you expect are there. Then export it choosing PKCS #12 (8.p12) format. You will need to provide a passphrase.

 

Take that p12 file and import it into your ASA as an identity certificate.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: