Solved: VPN Cluster and Wildcard Certificate

kennethgrande · ‎01-14-2013

Hi,

I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.

I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:

cluster.domain.com

Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:

vpn01.domain.com

or

vpn02.domain.com

or

vpn03.domain.com

Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.

Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.

Any experience or recommendations?

BR,

/K

Michal Garcarz · ‎01-15-2013

I agree, i would you that for my deployment.

View solution in original post

Michal Garcarz · ‎01-15-2013

Hello Kenneth,

It was working for version before 9.

On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).

And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged

--

Michal

kennethgrande · ‎01-15-2013

I have read some more doc and it seemes like UUC certificate with multiple SANs will be the best way to go.

/K

Michal Garcarz · ‎01-15-2013

I agree, i would you that for my deployment.