VPN Load Balancing, Certificates, Subject Alternative Names

Devlin Thornicroft · ‎06-05-2015

Hello all

We will be deploying a remote access solution using AnyConnect across two data centres. In each DC we will have 2x ASAs configured in a VPN load-balancing cluster.

As it stands Cisco ASA software does not support generating CSRs with Subject Alternative Names (SAN) which we need so that when the ASA presents its identity certificate the client can validate the cluster vIP/FQDN and the individual cluster member FQDN. I have found this post that describes how to create three certificates and apply them in such a way that we can get around this "issue":

https://supportforums.cisco.com/document/29886/asa-vpn-load-balancingclustering-digital-certificates-deployment-guide

The alternatives are to apply for a 3rd party UCC certificate. The option as it stands is not available to us. The second alternative, and the one suggested by Cisco is to generate a SAN CSR using OpenSSL. This gives us problems with support.

Can anyone provide some guidance/insight/experience on how you have got around this? What did you do, did it work?

Thanks for your help.

Andres Villarroel · ‎06-06-2015

Hello Devlin,

If SAN is not an option, then a wildcard certificate would be your best bet; however, I would suggest you to go with the SAN alternative for security reasons.

Devlin Thornicroft · ‎06-08-2015

Thanks Andres

I have reached out to our Cisco contact for further advice. I am not comfortable with going down the OpenSSL route for CSR with SAN generation for the reasons of support, renewal etc.

I'll see what he says and update this post accordingly.

Thank you