Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1546
Views
5
Helpful
1
Replies

SSLVPN, Load Balancing and Certificates

arni.s.eggertsson
Level 1
Level 1

‎08-21-2009 12:52 AM

Hi,

I have a question about SSL VPNs, I have two ASA5510 running as a Load Balancing Cluster with IPSec today, we are working on enabling SSL VPN on them as well and that is working perfectly, however I do not understand 100% how I should assign certificates for them. Since the plan is to buy signed SSL certificates I need to understand this 100%.

My knowledge tells me I would need 3 signed certificates or a wildcard, one certificate for the cluster, and one for each ASA box, is this correct? if so how do I assign one certificate to the cluster?

thanks,

Arni

Labels:
0 Helpful
1 Reply 1

Roman Rodichev
Level 7
Level 7

‎08-24-2009 07:59 AM

Hello Arni,

great question! You just need one wildcard certificate for both ASA's. Here's how it will work (for both Web Browser and AnyConnect):

1. Client connects on port 443/https to lb-name.company.com which translates to public LB IP address. As long as master ASA has wildcard certificate for *.company.com, user sees no warnings.

2. LB master will http redirect client to one-of-the-ASAs.company.com (ASA must be able to resolve reverse DNS one of the ASA's public IPs to the one-of-the-ASAs.company.com. If ASA's DNS resolution points to an internal DNS server, you'll need to make sure those servers have reverse DNS entries for individual Public IPs)

3. Client reconnects on port 443/https to one-of-the-ASAs.company.com which translates to physical Public IP of an individual ASA. As long as that ASA has wildcard certificate for *.company.com, user sees no warnings.

If you have an existing wildcard certificate (private key was generated on another host), you can import PKCS12 certificate (which includes private key) to each ASA.

If you don't have an existing wildcard certificate, you can:

- generate new private key on the first ASA

- create CSR on the first ASA

- provide CSR to the CA

- CA will issue certificate (base64 format)

- import CA certificate (base64) and new certificate (base64) on the first ASA

- export first ASA's certificate in PKCS12 format

- import PKCS12 format certificate on the second ASA

Keep in mind that Windows OS normally uses PFX format for PKCS12 certificate, while ASA uses BASE64 format. If you need to convert from one format to the other, you'll need to use openssl tool. Here's how to convert BASE64 to PFX:

openssl base64 -d -in file.p12 -out file.pfx

You will have similar configuration on ASAs:

crypto ca trustpoint TP

enrollment terminal

fqdn none

subject-name CN=*.company.com,OU=IT,O=Company,C=US,St=State,L=City

keypair NEW-RSA-KEY

crl configure

!

vpn load-balancing

redirect-fqdn enable

priority 1 (2 on the other ASA)

cluster key TP

cluster ip address

cluster encryption

participate

!

ssl trust-point TP outside

ssl trust-point TP outside vpnlb-ip

Regards,

Roman

Customers Also Viewed These Support Documents