cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2518
Views
2
Helpful
11
Replies

Multiple CA Certificates on the ASA

We currently use certificate based authentication for our end clients 

We want to change the certificate that the user uses to authenticate with 

Can we add the new CA cert to the ASA, to work alongside the existing one. 

How do we force users to use a specific certificate? Is this done with cert matching? 

Many thanks 

11 Replies 11

@is.infrastructure1 you can add another certificate to the ASA.

From the client computer perspective, if they have multiple certificates (the old one and the new one), then create different XML profiles using the Secure Client/AnyConnect profile editor and then create certificate matching rules (match on attribute from the required certificate). When the client connects it will then use that XML profile, which willl then present that certificate (as per the matching rules) to the ASA  for authentication.

Thanks guys. Very helpful. Is there a specific type of certificate required to import on to the ASA? 

I am getting the following error message when loading the certificate onto the ASA:

% Error in saving certificate: status = FAIL

 

 

 

https://m.youtube.com/watch?v=Er5toSsbM8I

This video how you config Cert. Auth anyconnect'

You  need to add root CA to ASA.

MHM

In this video, we're going to configure SSL VPN with AnyConnect using certificate-based authentication

@is.infrastructure1 what have you configured? Provide a screenshot for context.

You need to create a trustpoint, use terminal enrollment. Authenticate the trustpoint and paste the CA certificate.

Thanks guys. 

I've been able to import the certificate to the ASA 

Is there a way of proving the connection is using a specific certificate?

I cant see anything in the 'show vpn-sessiondb detail anyconnect......'  command

Can I see show vpn sessiondb anyconnect detail 

MHM

Debug crypto ca 14

try disconnect and re-connect Anyconnect

then check CA 
I will check simple way via show and update you

MHM

As I mention there is no direct way

You can use 

Debug crypto ca 14 or 255

Or 

Debug webvpn anyconnect 255

Look for log message 

Asa-7-717030

Thanks 

MHM

 

@is.infrastructure1 I am not sure there is an obvious way to check, but you could check the SYSLOG message generated, such as the following which confirms which trustpoint was matched.

%ASA-6-725016: Device selects trust-point <TRUSTPOINT NAME> for peer-type interface

You could then send just that message to the console to view or a syslog server. Example:-

logging list CONSOLE-LIST message 725016
logging console CONSOLE-LIST