Wildcard SSL cert on ASA

Answered Question
Jul 27th, 2009

Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?

I have this problem too.
0 votes
Correct Answer by Roman Rodichev about 7 years 4 months ago

Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.

If you need help with configuration, let me know.

You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)

Regards,

Roman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Roman Rodichev Thu, 07/30/2009 - 04:32

Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.

If you need help with configuration, let me know.

You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)

Regards,

Roman

ihernandez81 Tue, 10/09/2012 - 05:47

Roman,

I'm working on an ASA5520 and want to also use wildcard certificates, but am confused on the export and import of the csr and keys...I found documentation on how to create the csr but when I try to use the csr on the entrust certificate request site, there is always information within the csr that ties it back to the asa that created the csr...i found some docs that state to leave the fqdn as "none"...any help you can provide.

Actions

This Discussion