Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
5
Helpful
2
Replies

Cisco VPN Domain URL Change SSL Certificate

Go to solution
Tinei
Level 1
Level 1

‎08-25-2021 05:07 PM - edited ‎08-25-2021 05:08 PM

ur company has gone through a name change from ABC Corp to CDE Corp, the current vpn url is vpn.abc.com and the certificate on the ASA use that CN=vpn.abc.com. Company wants to move vpn url:vpn.cde.com to reflect the new company name. The DNS record is already pointing to ASA IP address, but VPN connection on the new domain get "Certificate not trusted" because the url doesn't match the current certifcate.

What will be the best way to move to new vpn url with minimal impact to end users

Option 1: Generate new CSR new certificate (vpn.cde.com)

Generate new CSR, get a new certificate, add certifcate to ASA, schedule a change, swap ASA certificate to new one, get users to to start using new vpn url. 

Option 2: Anyway to load balance both certificates during transition

This will allow users on new url to connect to VPN without an error and old users to also connect without any errors until final cut off. Does it have to be a hard cut over between the two? 

Thought about a multi-domain SSL, but not sure if it would work in such a scenario......

Any thoughts....

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-26-2021 12:57 AM

Hi @Tinei,

I would advise to go for certificate containing both DNS names (as SAN attributes), untill you complete migration. This way, existing user would continue to trust old domain, and migrated users will also trust new domain.

Since you are owner of both domains, this should be easy to get from public CA.

BR,

Milos

View solution in original post

2 Replies 2

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-26-2021 12:57 AM

Hi @Tinei,

I would advise to go for certificate containing both DNS names (as SAN attributes), untill you complete migration. This way, existing user would continue to trust old domain, and migrated users will also trust new domain.

Since you are owner of both domains, this should be easy to get from public CA.

BR,

Milos

Go to solution
Tinei
Level 1
Level 1

‎09-12-2021 04:16 PM

Thanks, managed to get a multi-domain certificate and it worked beautifully....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents