Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1516
Views
0
Helpful
9
Replies

Configure 2 SSL Trustpoints

fatalXerror
Level 5
Level 5

‎10-06-2018 11:15 AM

Hi, 

Is it possible in ASA to map 2x certificate in 1 interface so that VPN users will not shown an error about the certificate something like this configuration?

 

ssl trust-point <Trustpoint-Name-1> Outside

ssl trust-point <Trustpoint-Name-2> Outside

 

If not possible, how to prevent it?

 

thanks

Labels:
0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎10-06-2018 12:14 PM

Unfortunately No as per my experience, certificate is tied to the ASA interface and you won't be able to have different certificates for different SSL VPN connections/types.

 

But what is your use case to have 2 Certificates ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎10-06-2018 07:02 PM

Hi

No you can't do that.
Why do you want to have 2 trustpoints? Is it for certificate renewal?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

fatalXerror
Level 5
Level 5
In response to Francesco Molino

‎10-07-2018 07:15 PM

Hi @Francesco Molino,

 

Thanks for your feedback.

 

I just combined 2x ASA VPN into 1 ASA and I found out that they are using 2x different certificates.

 

What can I do about this? Can I configure another interface in the ASA so that it can handle the 2nd trustpoint?

 

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to fatalXerror

‎10-07-2018 09:05 PM

There were using 2 different public certificates because they had different public ip.
Now you're combining them into 1, will you have only 1 IP or still get 2.
If you get 2 then you'll have 2 interfaces and you can apply you're 2 trustpoints.
If you have only 1 interface for vpn, you just need 1 cert and every users will come to this one then doesn't matter that before you had 2.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

fatalXerror
Level 5
Level 5
In response to Francesco Molino

‎10-08-2018 12:40 AM

Hi @Francesco Molino,

Before, we have 2x ASA 1x interface each one intended for devices-A (using diff cert) and the other interface is intended to devices-B (using different cert). But now since we combined it, we are now using one interface for both and I put the trustpoint for device-A since since it is critical for device-A. Since we are using SSL remote access VPN, we did not notice the certificate which is assigned to the interface.

 

Now, we still not migrated the device-B to the new one. My concern is, once we migrate it possibly it will not connect because of the trustpoint in my outside interface of the ASA.

 

Can I put another interface in my new ASA then assign the correct trustpoint so that device-B will connect into that new interface? How will the flow of traffic once the device-B has a successful connection to the new interface?

 

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to fatalXerror

‎10-08-2018 01:17 PM

Device-B are using IPSEC connection or SSL connections?

Certificates will matter for SSL.

Let's say device-a uses vpn.domain.com to connect and device-b uses vpn1.domain.com.

When you merge both into a single interface, both device-a and device-b will use vpn.domain.com. If you setup the right cert on this interface nothing will happens. If you changed device-b vpn1.domain.com to vpn.domain.com you will need to change their anyconnect profile if they're using SSL.

If they're connection using IPSEC, are they using cert authentication or something or basic credentials. If basic auth, then no issues but you need to take care of DNS change to point to the right IP now.

 

You can have 2 different interfaces (in 2 different subnets obviously) and then you can apply a different trustpoint on each.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

fatalXerror
Level 5
Level 5
In response to Francesco Molino

‎10-08-2018 08:18 PM

Hi @Francesco Molino, both of them uses SSL VPN.

If I add an additional interface for the sole purpose of the device-B connection, how will the traffic goes after authentication? It will go the normal way going out where the gateway points? Thanks

0 Helpful

fatalXerror
Level 5
Level 5
In response to fatalXerror

‎10-08-2018 11:31 PM

hi @Francesco Molino, but if I use another certificate with SAN attribute, that is possible right?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to fatalXerror

‎10-09-2018 07:09 PM

Yes sure if you create again the cert and add another SAN, it'll work fine but you wanted to re-use the certs you have.
Again, if you change device-b to point to 1st interface (unified interface), it will work as well. Why you want absolutely to keep 2 public interfaces with 2 trustpoints?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents