Multiple certificates on an ASA for SSL VPN (different URLs)

Unanswered Question
Dec 16th, 2008

I want to install multiple (real) certificates on an ASA for the purpose of using multiple SSL VPN pages. For instance:

www.server1.com/portal1 (resolves to outside IP of ASA and gets assigned a tunnel-group via the /portal1)

www.server2.com/portal2 (also resolves to outside IP of ASA, but gets assigned a different tunnel-group via /portal2)

I have installed the public cert for server1.com and it works fine. However, it looks like you can only bind one certificate to an interface. Since you can clearly install many certificates on the box, I assume there has to be a way to bind multiple certs to the outside interface (or map them to different tunnel-groups). The only certificate mapping stuff I see in ASDM is for client certificate authentication stuff.

Any help would be greatly appreciated.

Thanks,

Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fsmontenegro Fri, 02/20/2009 - 08:40

Hi, I'm looking into the same issue. One workaround I just came across is "UC certificates" that have multiple subjects under the same cert. There's obvious issues with scalability and ongoing management, but it may be useful in your case. Take a look at:

http://www.digicert.com/subject-alternative-name.htm

Let me know if you come across any other solutions/workarounds.

drbenham Mon, 02/23/2009 - 05:55

Thanks for your reply. Your workaround is the only one I've been able to come up with myself, too. And it is not feasible as an ongoing solution in this case. The customer wound up purchasing an ACE server to do SSL acceleration.

Dave

Actions

This Discussion