Cisco AnyConnect SSL certificate help on ASA - Page 2

Andy White · ‎03-05-2014

Hello,

We have 2 ASA 5520s in Active/Standby on 9.x IOS

We have many users that use Windows 7/8 tablets and the Cisco Anyconnect SSL VPN client. 
They connect to hostname 'vpn.company.co.uk' (our ASA) and when they connect the VPN
connection is 'Trusted' as our SSL certificate on the ASAs (Active/Standby) has
vpn.company.co.uk in it.

We have now changed our company name and I have been asked 2 things.

1.) To get another certificate generated with help from Cisco (webex?) that includes
'vpn.company.co.uk' and the new company name 'vpn.newcompany.com' (FDNS entries are
already working, and can be pinged from the internet, both FQDNs go to our ASAs public IP).  Having both FQDNs
we hope it will not interfere with our current users experience and can connect to either
vpn.company.co.uk or vpn.newcompany.com as 'Trusted' with no additional
configuration needed to the clients.

What type of cert do I need to use (confused totally)

2.) Once the new certificate is working and users are still using vpn.company.co.uk
(old name), we would like to replace this with vpn.newcompany.com, how can we
seamlessly do this?  Will the user connect and download te new xml file?  Please provide a
solution.

I am trying to plan this to happen over the new few weeks, so it is not urgent, but need
to make a start on what is involved.

Thanks

fatalXerror · ‎10-09-2018

@Marvin Rhoads you mean I will not do anything from the ASA even the key generation? all i need to do is to import the signed cert? technically, the whole process of the CSR (from key generation to putting of the cert details) will be coming from the XCA?

Marvin Rhoads · ‎10-09-2018

Right - the ASA only gets involved when you have the PKCS #12 file ready to import.

XCA (or openssl) - create a key and CSR

Certificate Authority - issues a signed certificate based on the CSR

XCA (or openssl) - combines the signed certificate with the original private key in a PKCS #12 file

ASA - imports the PKCS #12 file and binds the certificate (using a trustpoint) to an interface for use by remote access VPN (AnyConnect clients)

fatalXerror · ‎10-09-2018

hi @Marvin Rhoads what do you mean by this?

"XCA (or openssl) - combines the signed certificate with the original private key in a PKCS #12 file"

What original private key you are talking about here? the key generated in the csr phase?

thanks

Marvin Rhoads · ‎10-09-2018

Yes. Anything that uses the certificate resulting from the CA signing a certificate based on a given CSR must have the private key used when generating said CSR. That's fundamental to how PKI works.

fatalXerror · ‎10-10-2018

Hi @Marvin Rhoads, I really thank you for the help.

In SAN attribute, it is not necessary to use wildcard right but we can use also multiple specific domain? Do you know how many domain does the SAN attribute can support? Thanks

Marvin Rhoads · ‎10-10-2018

The number accepted varies per provider. I've seen reports of anything from 25 to 100.

If you are running an internal CA (e.g. Microsoft Server Certificate Services), the string must be no more than 4 kb, translating to ~151 SANs if each one is 25 characters.

https://social.technet.microsoft.com/wiki/contents/articles/3306.pki-faq-what-is-the-maximum-number-of-names-that-can-be-included-in-the-san-extension.aspx

fatalXerror · ‎10-10-2018

@Marvin Rhoads thanks but in terms of the value of the SAN, it is not necessary to put wildcard right? We can use exact domain name? thanks

Marvin Rhoads · ‎10-10-2018

No wildcard is necessary.

Multiple exact fully qualified domain names (FQDNs) is what's recommended.

fatalXerror · ‎11-23-2018

Hi @Marvin Rhoads, I was able to generate a CSR but using OpenSSL for Windows, I follow as well the 2x links below just to make sure I am doing the right way. However, I cannot see the SAN attribute when I tried to verify it using OpenSSL, is that normal?

OpenSSL Command to Verify CSR:

openssl req -noout -text -in <csr-filename>.csr

LINK1: http://www.labminutes.com/blog/public/2014/06/wildcard-certificate-generation-asa

LINK2: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc8

Thanks

fatalXerror · ‎11-23-2018

Hi @Marvin Rhoads, I already make it work to generate test CSR with SAN attribute via OpenSSL.

Thanks.

fatalXerror · ‎11-23-2018

Hi @Marvin Rhoads, I already make it work to generate test CSR with SAN attribute via OpenSSL.

Thanks.

Marvin Rhoads · ‎11-23-2018

That's good news. I'm glad you got it to work.

Javier Portuguez · ‎03-06-2014

Andy,

Yeahp, that answer you got from us is true.

However, I did not recommend it because it is more expensive and eventually you won't need the second FQDN.

In case I am wrong and you will need both domains then get a SAN.

HTH.

- Javier

tinu_karki · ‎04-02-2015

Andy,

Not sure if you still have this problem but we have a similar issue. As you know the ASA cannot generate a CSR with SAN attributes. The solution for us was to create a the CSR using OpenSSL and then get it signed and imported on to the ASA.