WebVPN, multiple portals, multiple SSL certificates

Answered Question

I have setup WebVPN with a SSL certificate on an ASA5510 which works fine for a while. However, we need to have a second portal on the same machine. I 've configured this with the use of the group-url statement in the tunnel-group. Now I need to install a second SSL certificate for the second URL. How is his to be done? I guess I should create a new trustpoint for the second certificate, but afaik I can only attach 1 trustpoint to the outside interface.

Any ideas?

Thanks,

Mike.

Correct Answer by Marcin Latosiewicz about 6 years 7 months ago

Mike,

It's complicated, in theory you can configure another interface and enable webvpn on it and enable anothe trustpoint on the other interface.

You can enaroll (AFAIR) with different RSA keys based on label.

However in such a scenario (two public interfaces) you would face problem with routing.

Honestly I don't want to go through all the RFCs to see if it's allowed but I believe that (conceptaully speaking) one certificate with CN (for primary domain) + SANs (for any alternate domain) would work OK.

Marcin

edit:

I briefly read RFC and I don't see anything that would prohibit using SAN in this case.

http://tools.ietf.org/html/rfc3280#section-4.2.1.7

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Tue, 06/29/2010 - 09:53

Mike,

Are you going to host multiple domains on this ASA?

How about using one cert with multiple SANs or a wildcard certificate?

AFAIR you can specify only one certificate, I would need to research this.

Marcin

Walter Lopez Tue, 06/29/2010 - 20:20

Mike,

On the ASA you can apply just one certificate per interface, if this new tunnel-group (Different group-url) will connect to the same interface you don't need to create a new certificate for this one, you can use the one that you are using.

Group-url 1: asa.company/tunnel1

Group-url 2: asa.company/tunnel2

The previous group-urls will work with the same certificate but both will connect to different webvpn pages. You should not see any warning or something like that.

Hi Guys,

Thanks or getting back to me. The already running WebVPN portal has a different group-url as the new one, like https://webvpn.company-x.com, and the second should be https://webvpn.company-y.com. That are two domains indeed. The operational portal has a certificate which includes the domain name of webvpn.company-x.com. If I browse to the second portal now (company-y), I see a mismatch warning about that the certificate was created for company-x.com, not for company-y.com (of course). So I need a second certificate for company-y.com. On an IOS box this can be resolved by creating different webvpn gateways with their own public IP address. Is there such a thing for ASA?

Thanks,

Mike.

Correct Answer
Marcin Latosiewicz Wed, 06/30/2010 - 00:45

Mike,

It's complicated, in theory you can configure another interface and enable webvpn on it and enable anothe trustpoint on the other interface.

You can enaroll (AFAIR) with different RSA keys based on label.

However in such a scenario (two public interfaces) you would face problem with routing.

Honestly I don't want to go through all the RFCs to see if it's allowed but I believe that (conceptaully speaking) one certificate with CN (for primary domain) + SANs (for any alternate domain) would work OK.

Marcin

edit:

I briefly read RFC and I don't see anything that would prohibit using SAN in this case.

http://tools.ietf.org/html/rfc3280#section-4.2.1.7

Actions

This Discussion