cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1723
Views
0
Helpful
9
Replies

Configure 2 SSL Trustpoints

fatalXerror
Level 5
Level 5

Hi, 

Is it possible in ASA to map 2x certificate in 1 interface so that VPN users will not shown an error about the certificate something like this configuration?

 

ssl trust-point <Trustpoint-Name-1> Outside

ssl trust-point <Trustpoint-Name-2> Outside

 

If not possible, how to prevent it?

 

thanks

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

Unfortunately No as per my experience, certificate is tied to the ASA interface and you won't be able to have different certificates for different SSL VPN connections/types.

 

But what is your use case to have 2 Certificates ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Francesco Molino
VIP Alumni
VIP Alumni
Hi

No you can't do that.
Why do you want to have 2 trustpoints? Is it for certificate renewal?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi @Francesco Molino,

 

Thanks for your feedback.

 

I just combined 2x ASA VPN into 1 ASA and I found out that they are using 2x different certificates.

 

What can I do about this? Can I configure another interface in the ASA so that it can handle the 2nd trustpoint?

 

Thanks

There were using 2 different public certificates because they had different public ip.
Now you're combining them into 1, will you have only 1 IP or still get 2.
If you get 2 then you'll have 2 interfaces and you can apply you're 2 trustpoints.
If you have only 1 interface for vpn, you just need 1 cert and every users will come to this one then doesn't matter that before you had 2.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi @Francesco Molino,

Before, we have 2x ASA 1x interface each one intended for devices-A (using diff cert) and the other interface is intended to devices-B (using different cert). But now since we combined it, we are now using one interface for both and I put the trustpoint for device-A since since it is critical for device-A. Since we are using SSL remote access VPN, we did not notice the certificate which is assigned to the interface.

 

Now, we still not migrated the device-B to the new one. My concern is, once we migrate it possibly it will not connect because of the trustpoint in my outside interface of the ASA.

 

Can I put another interface in my new ASA then assign the correct trustpoint so that device-B will connect into that new interface? How will the flow of traffic once the device-B has a successful connection to the new interface?

 

Thanks

Device-B are using IPSEC connection or SSL connections?

Certificates will matter for SSL.

Let's say device-a uses vpn.domain.com to connect and device-b uses vpn1.domain.com.

When you merge both into a single interface, both device-a and device-b will use vpn.domain.com. If you setup the right cert on this interface nothing will happens. If you changed device-b vpn1.domain.com to vpn.domain.com you will need to change their anyconnect profile if they're using SSL.

If they're connection using IPSEC, are they using cert authentication or something or basic credentials. If basic auth, then no issues but you need to take care of DNS change to point to the right IP now.

 

You can have 2 different interfaces (in 2 different subnets obviously) and then you can apply a different trustpoint on each.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi @Francesco Molino, both of them uses SSL VPN.

If I add an additional interface for the sole purpose of the device-B connection, how will the traffic goes after authentication? It will go the normal way going out where the gateway points? Thanks

hi @Francesco Molino, but if I use another certificate with SAN attribute, that is possible right?

Yes sure if you create again the cert and add another SAN, it'll work fine but you wanted to re-use the certs you have.
Again, if you change device-b to point to 1st interface (unified interface), it will work as well. Why you want absolutely to keep 2 public interfaces with 2 trustpoints?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question