concerns about CA certificate purchasing

Menon · ‎02-08-2023

Hello there,

I have 2 ASA 5506 firewalls in failover state and anyconnect VPN running on it. We currently use a self-signed certificate on our firewall for VPN. Unfortunately this gives us a lower security rating when client run security tests on our public IP address. As a result, we need to replace the self-signed certificate with one that is not self-signed.

My concerns:

1: What type of certificate is suitable for this scenario, firewalls is in failover state and it uses a single domain. So basic ssl certificate would be enough?

2: Do i need to create 2 seperate CSR(certificate signing request) from the firewall to apply for the ssl certificate from CA. As it is in Failover it will sync the config.

3: Once we get the new certificate imported and enroll the new one then do we need to setup anything on the client side or does the enrollment automaticaly update the client side once they try to reach the vpn?

Let me know suggestions - any help would be highly appreciable!.

Regards - Menon

Milos_Jovanovic · ‎02-13-2023

Hi @Menon,

Given that devices are working in HA, you'll only need one certificate for this. However, you do need to define FQDN for this, as public CA signed certificates usually don't support IPs inside. From this standpoint, there will be only one FQDN defined for your "outside" interface (active IP address).

Yes, basic SSL certificate is enough for this purpose.

Once you import the certificate onto the device, same certificate will be replicated on both devices, so when the failover event happens, same certificate will be displayed still.

If you buy a certificate from well known CA, then nothing is required from the client side (assuming they are using FQDN instead of IP today; if not, you'll need to ask them to connect to FQDN from now on, and to potentially reconfigure ASA accordingly).

Kind regards,

Milos