Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

two 5510's, two ssl-vpn's, single root domain. how many certs?

Hey guys,

I'm hoping you can answer my questions here. I'll lay it out simply and then respond if you need any additional information. I'm setting up two seperate 5510's at two seperate locations. The client wants two seperate SSL-VPN's; one for the HQ and one for the COLO location. They have a single domain for which I have added a-records to point to the corrosponding ASA's thusly:

HQ-ASA = vpn.mycompany.com - 1.1.1.1

COLO-ASA = vpn-colo.mycompany.com - 2.2.2.2

My questions is this: do i need to buy seperate certificates for each ASA/fqdn/IP combo? I'm using godaddy to buy the certs if that helps. If I do need to buy seperate certs, that makes the installation easier, but may waste $$. If I only need to buy one cert, how do I set it up so that both combo's are verified?

I'm in somewhat of a hurry to get this figured out. I'll be monitoring this post.

Thank you,

Josh

CCNA, CCNA-Security

2 REPLIES
New Member

Re: two 5510's, two ssl-vpn's, single root domain. how many cert

I'm thinking a wildcard ssl cert will work. Here's how I think i should configure it:

On the COLO

crypto key generate rsa label my.godaddy.trustpoint modulus 2048

crypto ca trustpoint my.godaddy.trustpoint

keypair my.godaddy.key

fqdn vpn-colo.mycompany.com

subject-name CN=vpn-colo.mycompany.com, OU=IT, O=mycompany corp, C=US, St=Illinois, L=Springfield

enrollment terminal

serial-number

wr mem

!

!Import cert. download cert from CA provider

crypto ca authenticate my.godaddy.trustpoint

!paste in the base64 CA cert string you recieved. make sure the last line is 'quit'

!accept the certificate by answering y

!

!enroll the new cert

crypto ca enroll my.godaddy.trustpoint

!

!Make sure to display cert to terminal and copy that information. the CA you bought your cert

!from will want it.

!

!When you recieve your signed cert back from the CA, import it

crypto ca import my.godaddy.trustpoint certificate

!paste in the base64 CA cert string you recieved. make sure the last line is 'quit'

!

!BACKUP THE CERTS AND PRIVATE KEYS

crypto ca export my.godaddy.trustpoint pkcs 12 hahawhatever

!

On the HQ

crypto key generate rsa label my.godaddy.trustpoint modulus 2048

crypto ca trustpoint my.godaddy.trustpoint

keypair my.godaddy.key

fqdn vpn.mycompany.com

subject-name CN=vpn.mycompany.com, OU=IT, O=mycompany corp, C=US, St=Illinois, L=Moline

enrollment terminal

serial-number

wr mem

Then, use the exported pkcs to import into the HQ ASA with:

crypto ca import my.godaddy.trustpoint pkcs 12 hahawhatever

And on both:

ssl trust-point my.godaddy.trustpoint outside

Am I missing something?

Josh

CCNA, CCNA-Security

New Member

Re: two 5510's, two ssl-vpn's, single root domain. how many cert

Must be a rather difficult question...

526
Views
0
Helpful
2
Replies
CreatePlease login to create content