03-05-2014 02:00 AM - edited 02-21-2020 07:32 PM
Hello,
We have 2 ASA 5520s in Active/Standby on 9.x IOS
We have many users that use Windows 7/8 tablets and the Cisco Anyconnect SSL VPN client.
They connect to hostname 'vpn.company.co.uk' (our ASA) and when they connect the VPN
connection is 'Trusted' as our SSL certificate on the ASAs (Active/Standby) has
vpn.company.co.uk in it.
We have now changed our company name and I have been asked 2 things.
1.) To get another certificate generated with help from Cisco (webex?) that includes
'vpn.company.co.uk' and the new company name 'vpn.newcompany.com' (FDNS entries are
already working, and can be pinged from the internet, both FQDNs go to our ASAs public IP). Having both FQDNs
we hope it will not interfere with our current users experience and can connect to either
vpn.company.co.uk or vpn.newcompany.com as 'Trusted' with no additional
configuration needed to the clients.
What type of cert do I need to use (confused totally)
2.) Once the new certificate is working and users are still using vpn.company.co.uk
(old name), we would like to replace this with vpn.newcompany.com, how can we
seamlessly do this? Will the user connect and download te new xml file? Please provide a
solution.
I am trying to plan this to happen over the new few weeks, so it is not urgent, but need
to make a start on what is involved.
Thanks
10-09-2018 11:00 AM
@Marvin Rhoads you mean I will not do anything from the ASA even the key generation? all i need to do is to import the signed cert? technically, the whole process of the CSR (from key generation to putting of the cert details) will be coming from the XCA?
10-09-2018 11:25 AM
Right - the ASA only gets involved when you have the PKCS #12 file ready to import.
XCA (or openssl) - create a key and CSR
Certificate Authority - issues a signed certificate based on the CSR
XCA (or openssl) - combines the signed certificate with the original private key in a PKCS #12 file
ASA - imports the PKCS #12 file and binds the certificate (using a trustpoint) to an interface for use by remote access VPN (AnyConnect clients)
10-09-2018 11:54 AM
hi @Marvin Rhoads what do you mean by this?
"XCA (or openssl) - combines the signed certificate with the original private key in a PKCS #12 file"
What original private key you are talking about here? the key generated in the csr phase?
thanks
10-09-2018 09:37 PM
Yes. Anything that uses the certificate resulting from the CA signing a certificate based on a given CSR must have the private key used when generating said CSR. That's fundamental to how PKI works.
10-10-2018 05:40 AM
Hi @Marvin Rhoads, I really thank you for the help.
In SAN attribute, it is not necessary to use wildcard right but we can use also multiple specific domain? Do you know how many domain does the SAN attribute can support? Thanks
10-10-2018 05:55 AM - edited 10-10-2018 08:47 AM
The number accepted varies per provider. I've seen reports of anything from 25 to 100.
If you are running an internal CA (e.g. Microsoft Server Certificate Services), the string must be no more than 4 kb, translating to ~151 SANs if each one is 25 characters.
10-10-2018 08:42 AM
@Marvin Rhoads thanks but in terms of the value of the SAN, it is not necessary to put wildcard right? We can use exact domain name? thanks
10-10-2018 08:48 AM
No wildcard is necessary.
Multiple exact fully qualified domain names (FQDNs) is what's recommended.
11-23-2018 05:55 AM
Hi @Marvin Rhoads, I was able to generate a CSR but using OpenSSL for Windows, I follow as well the 2x links below just to make sure I am doing the right way. However, I cannot see the SAN attribute when I tried to verify it using OpenSSL, is that normal?
OpenSSL Command to Verify CSR:
openssl req -noout -text -in <csr-filename>.csr
LINK1: http://www.labminutes.com/blog/public/2014/06/wildcard-certificate-generation-asa
Thanks
11-23-2018 07:59 AM
Hi @Marvin Rhoads, I already make it work to generate test CSR with SAN attribute via OpenSSL.
Thanks.
11-23-2018 07:59 AM
Hi @Marvin Rhoads, I already make it work to generate test CSR with SAN attribute via OpenSSL.
Thanks.
11-23-2018 09:27 PM
That's good news. I'm glad you got it to work.
03-06-2014 05:09 AM
Andy,
Yeahp, that answer you got from us is true.
However, I did not recommend it because it is more expensive and eventually you won't need the second FQDN.
In case I am wrong and you will need both domains then get a SAN.
HTH.
- Javier
04-02-2015 03:57 AM
Andy,
Not sure if you still have this problem but we have a similar issue. As you know the ASA cannot generate a CSR with SAN attributes. The solution for us was to create a the CSR using OpenSSL and then get it signed and imported on to the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide