Multiple CA Certificates on the ASA

is.infrastructure1 · ‎05-23-2024

We currently use certificate based authentication for our end clients

We want to change the certificate that the user uses to authenticate with

Can we add the new CA cert to the ASA, to work alongside the existing one.

How do we force users to use a specific certificate? Is this done with cert matching?

Many thanks

MHM Cisco World · ‎05-23-2024

Sure you can

Yoh can even use both cert for anyconnect

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html

Rob Ingram · ‎05-23-2024

@is.infrastructure1 you can add another certificate to the ASA.

From the client computer perspective, if they have multiple certificates (the old one and the new one), then create different XML profiles using the Secure Client/AnyConnect profile editor and then create certificate matching rules (match on attribute from the required certificate). When the client connects it will then use that XML profile, which willl then present that certificate (as per the matching rules) to the ASA for authentication.

is.infrastructure1 · ‎05-23-2024

Thanks guys. Very helpful. Is there a specific type of certificate required to import on to the ASA?

I am getting the following error message when loading the certificate onto the ASA:

% Error in saving certificate: status = FAIL

MHM Cisco World · ‎05-23-2024

https://m.youtube.com/watch?v=Er5toSsbM8I

This video how you config Cert. Auth anyconnect'

You need to add root CA to ASA.

MHM

Rob Ingram · ‎05-23-2024

@is.infrastructure1 what have you configured? Provide a screenshot for context.

You need to create a trustpoint, use terminal enrollment. Authenticate the trustpoint and paste the CA certificate.

is.infrastructure1 · ‎06-04-2024

Thanks guys.

I've been able to import the certificate to the ASA

Is there a way of proving the connection is using a specific certificate?

I cant see anything in the 'show vpn-sessiondb detail anyconnect......' command

MHM Cisco World · ‎06-04-2024

Can I see show vpn sessiondb anyconnect detail

MHM

is.infrastructure1 · ‎06-04-2024

MHM Cisco World · ‎06-04-2024

Debug crypto ca 14

try disconnect and re-connect Anyconnect

then check CA
I will check simple way via show and update you

MHM

MHM Cisco World · ‎06-04-2024

As I mention there is no direct way

You can use

Debug crypto ca 14 or 255

Or

Debug webvpn anyconnect 255

Look for log message

Asa-7-717030

Thanks

MHM

Rob Ingram · ‎06-04-2024

@is.infrastructure1 I am not sure there is an obvious way to check, but you could check the SYSLOG message generated, such as the following which confirms which trustpoint was matched.

%ASA-6-725016: Device selects trust-point <TRUSTPOINT NAME> for peer-type interface

You could then send just that message to the console to view or a syslog server. Example:-

logging list CONSOLE-LIST message 725016
logging console CONSOLE-LIST