SSLVPN, Load Balancing and Certificates

Unanswered Question
Aug 21st, 2009


I have a question about SSL VPNs, I have two ASA5510 running as a Load Balancing Cluster with IPSec today, we are working on enabling SSL VPN on them as well and that is working perfectly, however I do not understand 100% how I should assign certificates for them. Since the plan is to buy signed SSL certificates I need to understand this 100%.

My knowledge tells me I would need 3 signed certificates or a wildcard, one certificate for the cluster, and one for each ASA box, is this correct? if so how do I assign one certificate to the cluster?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Roman Rodichev Mon, 08/24/2009 - 07:59

Hello Arni,

great question! You just need one wildcard certificate for both ASA's. Here's how it will work (for both Web Browser and AnyConnect):

1. Client connects on port 443/https to which translates to public LB IP address. As long as master ASA has wildcard certificate for *, user sees no warnings.

2. LB master will http redirect client to (ASA must be able to resolve reverse DNS one of the ASA's public IPs to the If ASA's DNS resolution points to an internal DNS server, you'll need to make sure those servers have reverse DNS entries for individual Public IPs)

3. Client reconnects on port 443/https to which translates to physical Public IP of an individual ASA. As long as that ASA has wildcard certificate for *, user sees no warnings.

If you have an existing wildcard certificate (private key was generated on another host), you can import PKCS12 certificate (which includes private key) to each ASA.

If you don't have an existing wildcard certificate, you can:

- generate new private key on the first ASA

- create CSR on the first ASA

- provide CSR to the CA

- CA will issue certificate (base64 format)

- import CA certificate (base64) and new certificate (base64) on the first ASA

- export first ASA's certificate in PKCS12 format

- import PKCS12 format certificate on the second ASA

Keep in mind that Windows OS normally uses PFX format for PKCS12 certificate, while ASA uses BASE64 format. If you need to convert from one format to the other, you'll need to use openssl tool. Here's how to convert BASE64 to PFX:

openssl base64 -d -in file.p12 -out file.pfx

You will have similar configuration on ASAs:

crypto ca trustpoint TP

enrollment terminal

fqdn none

subject-name CN=*,OU=IT,O=Company,C=US,St=State,L=City

keypair NEW-RSA-KEY

crl configure


vpn load-balancing

redirect-fqdn enable

priority 1 (2 on the other ASA)

cluster key TP

cluster ip address

cluster encryption



ssl trust-point TP outside

ssl trust-point TP outside vpnlb-ip




This Discussion