06-29-2010 05:33 AM
I have setup WebVPN with a SSL certificate on an ASA5510 which works fine for a while. However, we need to have a second portal on the same machine. I 've configured this with the use of the group-url statement in the tunnel-group. Now I need to install a second SSL certificate for the second URL. How is his to be done? I guess I should create a new trustpoint for the second certificate, but afaik I can only attach 1 trustpoint to the outside interface.
Any ideas?
Thanks,
Mike.
Solved! Go to Solution.
06-30-2010 12:45 AM
Mike,
It's complicated, in theory you can configure another interface and enable webvpn on it and enable anothe trustpoint on the other interface.
You can enaroll (AFAIR) with different RSA keys based on label.
However in such a scenario (two public interfaces) you would face problem with routing.
Honestly I don't want to go through all the RFCs to see if it's allowed but I believe that (conceptaully speaking) one certificate with CN (for primary domain) + SANs (for any alternate domain) would work OK.
Marcin
edit:
I briefly read RFC and I don't see anything that would prohibit using SAN in this case.
06-29-2010 09:53 AM
Mike,
Are you going to host multiple domains on this ASA?
How about using one cert with multiple SANs or a wildcard certificate?
AFAIR you can specify only one certificate, I would need to research this.
Marcin
06-29-2010 08:20 PM
Mike,
On the ASA you can apply just one certificate per interface, if this new tunnel-group (Different group-url) will connect to the same interface you don't need to create a new certificate for this one, you can use the one that you are using.
Group-url 1: asa.company/tunnel1
Group-url 2: asa.company/tunnel2
The previous group-urls will work with the same certificate but both will connect to different webvpn pages. You should not see any warning or something like that.
06-30-2010 12:28 AM
Hi Guys,
Thanks or getting back to me. The already running WebVPN portal has a different group-url as the new one, like https://webvpn.company-x.com, and the second should be https://webvpn.company-y.com. That are two domains indeed. The operational portal has a certificate which includes the domain name of webvpn.company-x.com. If I browse to the second portal now (company-y), I see a mismatch warning about that the certificate was created for company-x.com, not for company-y.com (of course). So I need a second certificate for company-y.com. On an IOS box this can be resolved by creating different webvpn gateways with their own public IP address. Is there such a thing for ASA?
Thanks,
Mike.
06-30-2010 12:45 AM
Mike,
It's complicated, in theory you can configure another interface and enable webvpn on it and enable anothe trustpoint on the other interface.
You can enaroll (AFAIR) with different RSA keys based on label.
However in such a scenario (two public interfaces) you would face problem with routing.
Honestly I don't want to go through all the RFCs to see if it's allowed but I believe that (conceptaully speaking) one certificate with CN (for primary domain) + SANs (for any alternate domain) would work OK.
Marcin
edit:
I briefly read RFC and I don't see anything that would prohibit using SAN in this case.
06-30-2010 02:32 AM
Guys,
Thanks for all your input. I give up since this ASA is not really a shared platform, and this kind of config is not intended for this setup I guess. I will use the option suggested earlier: group-url https://webvpn.company-x.com/company-y.com. This will do the trick, not so neat however ;-)
Thanks,
Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide