×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA VPN SSL 8.4.x : Using differents certificates by connection profile

Answered Question
Dec 6th, 2011
User Badges:

I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?


My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.


Thanks


Jeff

Correct Answer by Herbert Baerten about 5 years 8 months ago

Hi Jeff,


no, this is not possible (unless the 2  certificates are used on 2 different interfaces, but I guess that that  is not what you want) - the reason for this is that the ASA needs to  send a certificate to the client/browser when the SSL connection  initiates, so before it gets the HTTP GET request (which contains the  Host header indicating which hostname you are connecting to). So at that  time the ASA would not yet know which of the 2 certs to send.


However, there is an alternative that you may find  useful: you can create/request a single certificate that contains both  hostnames (there can be only one in the Subject/DN, but you can have  multiple SAN - Subject Alternate Name). There may be an additional cost  associated with this if you are requesting the cert from a 3rd party CA.


To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.

e.g.

tunnel-group foo webvpn-attributes

  group-url https://vpn.itcom.fr/


(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).

This  part should work regardless of the certificate - you'll just get a  certificate warning if the hostname you connect to is not in the ASA  cert.


hth

Herbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Herbert Baerten Thu, 12/08/2011 - 15:10
User Badges:
  • Cisco Employee,

Hi Jeff,


no, this is not possible (unless the 2  certificates are used on 2 different interfaces, but I guess that that  is not what you want) - the reason for this is that the ASA needs to  send a certificate to the client/browser when the SSL connection  initiates, so before it gets the HTTP GET request (which contains the  Host header indicating which hostname you are connecting to). So at that  time the ASA would not yet know which of the 2 certs to send.


However, there is an alternative that you may find  useful: you can create/request a single certificate that contains both  hostnames (there can be only one in the Subject/DN, but you can have  multiple SAN - Subject Alternate Name). There may be an additional cost  associated with this if you are requesting the cert from a 3rd party CA.


To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.

e.g.

tunnel-group foo webvpn-attributes

  group-url https://vpn.itcom.fr/


(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).

This  part should work regardless of the certificate - you'll just get a  certificate warning if the hostname you connect to is not in the ASA  cert.


hth

Herbert

jfbesnardeau Fri, 12/09/2011 - 01:09
User Badges:

Hi Herbert,


Thanks a lot for this confirmation and for the workaround.


Have a nice day.


Jeff

Actions

This Discussion