Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
892
Views
0
Helpful
2
Replies

two 5510's, two ssl-vpn's, single root domain. how many certs?

joshuawold
Level 1
Level 1

‎11-02-2011 10:14 AM

Hey guys,

I'm hoping you can answer my questions here. I'll lay it out simply and then respond if you need any additional information. I'm setting up two seperate 5510's at two seperate locations. The client wants two seperate SSL-VPN's; one for the HQ and one for the COLO location. They have a single domain for which I have added a-records to point to the corrosponding ASA's thusly:

HQ-ASA = vpn.mycompany.com - 1.1.1.1

COLO-ASA = vpn-colo.mycompany.com - 2.2.2.2

My questions is this: do i need to buy seperate certificates for each ASA/fqdn/IP combo? I'm using godaddy to buy the certs if that helps. If I do need to buy seperate certs, that makes the installation easier, but may waste $$. If I only need to buy one cert, how do I set it up so that both combo's are verified?

I'm in somewhat of a hurry to get this figured out. I'll be monitoring this post.

Thank you,

Josh

CCNA, CCNA-Security

Labels:
0 Helpful
2 Replies 2

joshuawold
Level 1
Level 1

‎11-02-2011 10:35 AM

I'm thinking a wildcard ssl cert will work. Here's how I think i should configure it:

On the COLO

crypto key generate rsa label my.godaddy.trustpoint modulus 2048

crypto ca trustpoint my.godaddy.trustpoint

keypair my.godaddy.key

fqdn vpn-colo.mycompany.com

subject-name CN=vpn-colo.mycompany.com, OU=IT, O=mycompany corp, C=US, St=Illinois, L=Springfield

enrollment terminal

serial-number

wr mem

!

!Import cert. download cert from CA provider

crypto ca authenticate my.godaddy.trustpoint

!paste in the base64 CA cert string you recieved. make sure the last line is 'quit'

!accept the certificate by answering y

!

!enroll the new cert

crypto ca enroll my.godaddy.trustpoint

!

!Make sure to display cert to terminal and copy that information. the CA you bought your cert

!from will want it.

!

!When you recieve your signed cert back from the CA, import it

crypto ca import my.godaddy.trustpoint certificate

!paste in the base64 CA cert string you recieved. make sure the last line is 'quit'

!

!BACKUP THE CERTS AND PRIVATE KEYS

crypto ca export my.godaddy.trustpoint pkcs 12 hahawhatever

!

On the HQ

crypto key generate rsa label my.godaddy.trustpoint modulus 2048

crypto ca trustpoint my.godaddy.trustpoint

keypair my.godaddy.key

fqdn vpn.mycompany.com

subject-name CN=vpn.mycompany.com, OU=IT, O=mycompany corp, C=US, St=Illinois, L=Moline

enrollment terminal

serial-number

wr mem

Then, use the exported pkcs to import into the HQ ASA with:

crypto ca import my.godaddy.trustpoint pkcs 12 hahawhatever

And on both:

ssl trust-point my.godaddy.trustpoint outside

Am I missing something?

Josh

CCNA, CCNA-Security

0 Helpful

joshuawold
Level 1
Level 1
In response to joshuawold

‎11-08-2011 09:15 AM

Must be a rather difficult question...

0 Helpful
Customers Also Viewed These Support Documents