Renewing SSL WebVPN Cert on ASA5540

S891 · ‎11-03-2013

Hi,

The SSL Web VPN certificate on my ASA 5540 pair is expiring. I have received a new certificate from COMODO. The current certificate was created 3 years ago using 1024 bit key. I have rceived a Certificate from CA. The CSR request was generated by my colleague who is on vacation, unfortunately.

a. Now I am trying to figure whether it was 2048 key CSR request?

b. I am also not sure whether I need a new Identiti Certificate and new key pair with 2048 size?

c. Also not too sure about Trust Point to associate with they key.

d. Can I use all old settings and just copy paste the certificate?

e. Also what I will have to do on secondary ASA??

I am guessing that since I am just renewing the certificate I don’t have to follow all steps. For the following link it looks like I just need to start from step 8. Can anyone please confirm or suggest a better link!!

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

Marvin Rhoads · ‎11-03-2013

That procedure is a good one to follow. You should see the pending certificate request if indeed the CSR was made from that ASA. Once you import and save and validate the new certificate is being used, you should be OK. The bottom of that procedure addresses the steps to synchronize the certificate on the standby unit.

The trustpont your SSL VPN is using should be the one bound to the outside interface. It is identified in the configuration file with a line like:

ssl trust-point outside

You can find it in ASDM by using the tool for command line and ending the command "show run | i trust-point"