cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1850
Views
20
Helpful
4
Replies
Beginner

Question about multiple certificates on an ASA

I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.)

There is also a separate certificate server located on the inside LAN that is used for internal purposes.  All client workstations have identity certs from this internal server.

We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.

Can this be done?  I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA.  The other one is only to identify the users.  The ASA did allow me to import the internal CA cert.

If it can be done, could someone point me to an example config?

Thanks,

-Mathew

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Question about multiple certificates on an ASA

Hello Matthew,

Your statement is correct.

You can have the GoDaddy certificate to identify the ASA to the clients, this Identity certificate is the one you apply on the outside interface.

Then, you can have certificate from a different CA (Certificate Authority), in your case and internal CA to identify the clients to the ASA. You just need to install the Root and Intermediate (if any) certificates of this new CA in your ASA.

The ASA will check the client's identity against all of the CA certificates installed in it until there is a validation of the certificate or it denies the connection.

You will need to use certificate authentication in the tunnel group used by your Anyconnect clients:

tunnel-group Anyconnect-group webvpn-attributes

  authentication certificate

I hope this helps.

Daniel Moreno

VPN

View solution in original post

4 REPLIES 4
Highlighted
Beginner

Question about multiple certificates on an ASA

Hello Matthew,

Your statement is correct.

You can have the GoDaddy certificate to identify the ASA to the clients, this Identity certificate is the one you apply on the outside interface.

Then, you can have certificate from a different CA (Certificate Authority), in your case and internal CA to identify the clients to the ASA. You just need to install the Root and Intermediate (if any) certificates of this new CA in your ASA.

The ASA will check the client's identity against all of the CA certificates installed in it until there is a validation of the certificate or it denies the connection.

You will need to use certificate authentication in the tunnel group used by your Anyconnect clients:

tunnel-group Anyconnect-group webvpn-attributes

  authentication certificate

I hope this helps.

Daniel Moreno

VPN

View solution in original post

Highlighted

Re: Question about multiple certificates on an ASA

Matthew,

In addition to the previous post (5 stars), please check this Doc for further reference:

AnyConnect Certificate Based Authentication

Keep us posted

Please rate any post you find useful.

Highlighted
Beginner

Question about multiple certificates on an ASA

Thanks Daniel, that was exactly what I needed to know.

Thanks for the link, Javier.

-Mathew

Highlighted

Question about multiple certificates on an ASA

You are welcome

Nice to know you found what you were looking for.

Have a good one.