Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2600
Views
20
Helpful
4
Replies

Question about multiple certificates on an ASA

Go to solution
mat_rouch
Level 1
Level 1

‎09-05-2012 09:53 AM

I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.)

There is also a separate certificate server located on the inside LAN that is used for internal purposes.  All client workstations have identity certs from this internal server.

We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.

Can this be done?  I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA.  The other one is only to identify the users.  The ASA did allow me to import the internal CA cert.

If it can be done, could someone point me to an example config?

Thanks,

-Mathew

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
danmoren
Level 1
Level 1

‎09-05-2012 11:05 AM

Hello Matthew,

Your statement is correct.

You can have the GoDaddy certificate to identify the ASA to the clients, this Identity certificate is the one you apply on the outside interface.

Then, you can have certificate from a different CA (Certificate Authority), in your case and internal CA to identify the clients to the ASA. You just need to install the Root and Intermediate (if any) certificates of this new CA in your ASA.

The ASA will check the client's identity against all of the CA certificates installed in it until there is a validation of the certificate or it denies the connection.

You will need to use certificate authentication in the tunnel group used by your Anyconnect clients:

tunnel-group Anyconnect-group webvpn-attributes

  authentication certificate

I hope this helps.

Daniel Moreno

VPN

View solution in original post

4 Replies 4

Go to solution
danmoren
Level 1
Level 1

‎09-05-2012 11:05 AM

Hello Matthew,

Your statement is correct.

You can have the GoDaddy certificate to identify the ASA to the clients, this Identity certificate is the one you apply on the outside interface.

Then, you can have certificate from a different CA (Certificate Authority), in your case and internal CA to identify the clients to the ASA. You just need to install the Root and Intermediate (if any) certificates of this new CA in your ASA.

The ASA will check the client's identity against all of the CA certificates installed in it until there is a validation of the certificate or it denies the connection.

You will need to use certificate authentication in the tunnel group used by your Anyconnect clients:

tunnel-group Anyconnect-group webvpn-attributes

  authentication certificate

I hope this helps.

Daniel Moreno

VPN

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-05-2012 11:19 AM

Matthew,

In addition to the previous post (5 stars), please check this Doc for further reference:

AnyConnect Certificate Based Authentication

Keep us posted

Please rate any post you find useful.

Go to solution
mat_rouch
Level 1
Level 1

‎09-05-2012 12:30 PM

Thanks Daniel, that was exactly what I needed to know.

Thanks for the link, Javier.

-Mathew

Go to solution
Javier Portuguez
Level 9
Level 9
In response to mat_rouch

‎09-05-2012 12:34 PM

You are welcome

Nice to know you found what you were looking for.

Have a good one.

0 Helpful
Customers Also Viewed These Support Documents