Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Digital Certificate requirement in VPN load-balancing mode

Hi,

I have 2 ASA with VPN load-balancing mode , please suggest me how many digital certificate required for same "domain",like https://gateway.xx.com

5 REPLIES
Cisco Employee

Re: Digital Certificate requirement in VPN load-balancing mode

Hi,

Minimum of one.

one CN:

CN=gateway

and 2x SAN:

SAN = gateway-1

SAN = gateway-2

Alternatively(not best practice)

2 certs on each device.

load balancing certificate (imported into both devices) + identity certificate on each box

Marcin

New Member

Re: Digital Certificate requirement in VPN load-balancing mode

Hi,

I have purcahse one cert but dont know how to deploy this in VPN load balancing with two ASA. Please help me with the depolyment guide along with  CN and SAN concepts.

Regards

Tarunava

Cisco Employee

Re: Digital Certificate requirement in VPN load-balancing mode

Tarunava,

If you'd decide to go through CN + SANs:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso70867

You'd have to use openssl ot ask certificate vendor (if they support SANs) to generate a CSR for you.

Marcin

New Member

Re: Digital Certificate requirement in VPN load-balancing mode

Marcin,

I have one doubt , My all outside interface ip (includingcluster ip) are natted statically with three public ip address which are in published in single domain (gateway.X.com) dns entry , So where is the question of gateway-1 and gateway-2 because I believe all are in same CN.

Could you please elaborate on CN and SAN concept ,as I am unable to ask vendor for the type certificate.

Regards

Tarunava

Cisco Employee

Re: Digital Certificate requirement in VPN load-balancing mode

Tarunava,

This is a simplification, but the CN and SAN basically define what subjects the certificate is valid for.

CN in Internet will be very often the URI of web page you're connecting to (i'm attaching screenshot of the cert for this forum).

Say you have your site : supportforums.cisco.com, but you have also server-1.cisco.com which is hosting this service. You'd like to probebly have a certificate valid for both.

You could then have cert with cn=supportforums.cisco.com and SAN=server-1.cisco.com

It's again a simplification but in my opinion a fair example.

Marcin

275
Views
0
Helpful
5
Replies
CreatePlease to create content