Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2180
Views
2
Helpful
11
Replies

Multiple CA Certificates on the ASA

is.infrastructure1
Level 1
Level 1

‎05-23-2024 03:16 AM - edited ‎05-23-2024 03:17 AM

We currently use certificate based authentication for our end clients 

We want to change the certificate that the user uses to authenticate with 

Can we add the new CA cert to the ASA, to work alongside the existing one. 

How do we force users to use a specific certificate? Is this done with cert matching? 

Many thanks 

Labels:
11 Replies 11

MHM Cisco World
VIP
VIP

‎05-23-2024 03:36 AM - edited ‎05-23-2024 03:36 AM

Sure you can 

Yoh can even use both cert for anyconnect 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html

0 Helpful

Rob Ingram
VIP
VIP

‎05-23-2024 04:16 AM

@is.infrastructure1 you can add another certificate to the ASA.

From the client computer perspective, if they have multiple certificates (the old one and the new one), then create different XML profiles using the Secure Client/AnyConnect profile editor and then create certificate matching rules (match on attribute from the required certificate). When the client connects it will then use that XML profile, which willl then present that certificate (as per the matching rules) to the ASA  for authentication.

0 Helpful

is.infrastructure1
Level 1
Level 1

‎05-23-2024 06:37 AM

Thanks guys. Very helpful. Is there a specific type of certificate required to import on to the ASA? 

I am getting the following error message when loading the certificate onto the ASA:

% Error in saving certificate: status = FAIL

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to is.infrastructure1

‎05-23-2024 06:45 AM

https://m.youtube.com/watch?v=Er5toSsbM8I

This video how you config Cert. Auth anyconnect'

You  need to add root CA to ASA.

MHM

0 Helpful

Rob Ingram
VIP
VIP
In response to is.infrastructure1

‎05-23-2024 06:54 AM

@is.infrastructure1 what have you configured? Provide a screenshot for context.

You need to create a trustpoint, use terminal enrollment. Authenticate the trustpoint and paste the CA certificate.

0 Helpful

is.infrastructure1
Level 1
Level 1

‎06-04-2024 12:35 AM

Thanks guys. 

I've been able to import the certificate to the ASA 

Is there a way of proving the connection is using a specific certificate?

I cant see anything in the 'show vpn-sessiondb detail anyconnect......'  command

0 Helpful

MHM Cisco World
VIP
VIP
In response to is.infrastructure1

‎06-04-2024 12:43 AM

Can I see show vpn sessiondb anyconnect detail 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to is.infrastructure1

‎06-04-2024 03:12 AM 

Debug crypto ca 14

try disconnect and re-connect Anyconnect

then check CA 
I will check simple way via show and update you

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎06-04-2024 06:54 AM

As I mention there is no direct way

You can use 

Debug crypto ca 14 or 255

Or 

Debug webvpn anyconnect 255

Look for log message 

Asa-7-717030

Thanks 

MHM

 

0 Helpful

Rob Ingram
VIP
VIP
In response to is.infrastructure1

‎06-04-2024 04:06 AM

@is.infrastructure1 I am not sure there is an obvious way to check, but you could check the SYSLOG message generated, such as the following which confirms which trustpoint was matched.

%ASA-6-725016: Device selects trust-point <TRUSTPOINT NAME> for peer-type interface

You could then send just that message to the console to view or a syslog server. Example:-

logging list CONSOLE-LIST message 725016
logging console CONSOLE-LIST

0 Helpful
Customers Also Viewed These Support Documents