Wildcard certificates for Anyconnect - multiple ASAv
I need to setup Anyconnect on two different ASAv in the Azure cloud. Each is in a different geographic location. I need to have multiple sub-domains for each. I know I'll need a wildcard certificate to make this happen but can I purchase just one certificate and use that on both ASAv? They will be for the same parent domain.
The reason why I think this might be an issue is due to the process of creating a CSR on the ASAv. Doesn't this tie the certificate to the ASA that generated the CSR? If that is the case I'll have to go with two certificates, correct? Create a CSR from each ASAv and generate the certificates. Otherwise they would need to have the same private key and I'm not familiar enough with the certificate structure to know how to make that work.
CSR generation on the ASA creates a private and public key (RSA in most cases). The public key and attributes is what you send to the CA to be signed. Once you import the signed certificate, the ASA correlates the private and public key as one.
You can create CSR, and import the certificate on one ASA. You can then export the certificate and private key in a pkcs12 format and import it back into another ASA. This way the same certificate and key stays on both the ASA's.
On a side note: You don't need a wildcard certificate for multiple domains. You can get a multiple domain certificate (UCC). These certificates have a single subject name but multiple subject alternate names (SAN) fields matching all the domains needed.
Certificate install information, import and export is in this doc:
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 188.8.131.52Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 184.108.40.206R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...