Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ASA VPN SSL 8.4.x : Using differents certificates by connection profile

I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?

My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.

Thanks

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA VPN SSL 8.4.x : Using differents certificates by connection

Hi Jeff,

no, this is not possible (unless the 2  certificates are used on 2 different interfaces, but I guess that that  is not what you want) - the reason for this is that the ASA needs to  send a certificate to the client/browser when the SSL connection  initiates, so before it gets the HTTP GET request (which contains the  Host header indicating which hostname you are connecting to). So at that  time the ASA would not yet know which of the 2 certs to send.

However, there is an alternative that you may find  useful: you can create/request a single certificate that contains both  hostnames (there can be only one in the Subject/DN, but you can have  multiple SAN - Subject Alternate Name). There may be an additional cost  associated with this if you are requesting the cert from a 3rd party CA.

To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.

e.g.

tunnel-group foo webvpn-attributes

  group-url https://vpn.itcom.fr/

(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).

This  part should work regardless of the certificate - you'll just get a  certificate warning if the hostname you connect to is not in the ASA  cert.

hth

Herbert

2 REPLIES
Cisco Employee

ASA VPN SSL 8.4.x : Using differents certificates by connection

Hi Jeff,

no, this is not possible (unless the 2  certificates are used on 2 different interfaces, but I guess that that  is not what you want) - the reason for this is that the ASA needs to  send a certificate to the client/browser when the SSL connection  initiates, so before it gets the HTTP GET request (which contains the  Host header indicating which hostname you are connecting to). So at that  time the ASA would not yet know which of the 2 certs to send.

However, there is an alternative that you may find  useful: you can create/request a single certificate that contains both  hostnames (there can be only one in the Subject/DN, but you can have  multiple SAN - Subject Alternate Name). There may be an additional cost  associated with this if you are requesting the cert from a 3rd party CA.

To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.

e.g.

tunnel-group foo webvpn-attributes

  group-url https://vpn.itcom.fr/

(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).

This  part should work regardless of the certificate - you'll just get a  certificate warning if the hostname you connect to is not in the ASA  cert.

hth

Herbert

New Member

ASA VPN SSL 8.4.x : Using differents certificates by connection

Hi Herbert,

Thanks a lot for this confirmation and for the workaround.

Have a nice day.

Jeff

469
Views
0
Helpful
2
Replies
CreatePlease to create content