Showing results for 
Search instead for 
Did you mean: 
Nathan Farrar

Wildcard certificates for Anyconnect - multiple ASAv

I need to setup Anyconnect on two different ASAv in the Azure cloud. Each is in a different geographic location. I need to have multiple sub-domains for each. I know I'll need a wildcard certificate to make this happen but can I purchase just one certificate and use that on both ASAv? They will be for the same parent domain. 

The reason why I think this might be an issue is due to the process of creating a CSR on the ASAv. Doesn't this tie the certificate to the ASA that generated the CSR? If that is the case I'll have to go with two certificates, correct? Create a CSR from each ASAv and generate the certificates. Otherwise they would need to have the same private key and I'm not familiar enough with the certificate structure to know how to make that work. 


Rahul Govindan

CSR generation on the ASA creates a private and public key (RSA in most cases). The public key and attributes is what you send to the CA to be signed. Once you import the signed certificate, the ASA correlates the private and public key as one.

You can create CSR, and import the certificate on one ASA. You can then export the certificate and private key in a pkcs12 format and import it back into another ASA. This way the same certificate and key stays on both the ASA's.

On a side note: You don't need a wildcard certificate for multiple domains. You can get a multiple domain certificate (UCC). These certificates have a single subject name but multiple subject alternate names (SAN) fields matching all the domains needed.

Certificate install information, import and export is in this doc:

Hi Rahul,

Will your recommendation of exporting the same cert from one ASA and import into another ASA work on a scenario where I want to have 3 distributed ASAs sharing the same fqdn (


My plan is to have 3 ASAs distributed across the country and allow Anyconnect users to connect to the single FQDN and using OGS to let the closest ASA to manage the connection.


Do you think exporting the cert from the ASA that has the cert and export on the others will do the trick?


If I try your other suggestion UCC how will that work?



I don't know if you ever did this or not but I'm doing it on a failover/loadbalance dns and it is working for me.