Mystical_Ice
asked on
Cisco ASA 5515 - How renew SSL certiciate?
Hi
Cisco ASA 5515, running 9.5(2), so the latest and greatest.
ADSM 7.5(2)153.
It has a certificate that's attached to the outside interface used for SSL VPNs and AnyConnect too I suppose. Certificate was issued by GoDaddy, but expires in the next week or two.
I went to GoDaddy and 'renewed' the certificate (didn't have to generate a CSR or anything) but I just want some clarification on how to apply it? They sent me the certificate as well as the intermediate (I think) file entitled "gd_bundle-g2-g1.crt". I opened that file in notepad and there are actually THREE certificates inside it.
When I navigate on the current ASA to "Certificate Management" and "CA Certificates", the list is empty - there's no certificate in there. I thought that was where the intermediate certificates went, but this has been working for years, with dozens of users connecting daily via VPN so i'm hesitant to do something that's going to break it if not necessary.
In "Identity certificate" (see attachment 1) there are the two certificates - one looks to be self-generated, but it's the godaddy one (that expires Feb 2016) that is in use. Also attaching (see attachment 2) the window that shows what's attached to the interface.
Want to see what I need to do to correctly import (re-generating if necessary) the certificate to ensure no downtime.
Also there are two 5515s connected in failover mode - all work is done on the primary, but want to make sure I don't have to load the certificate on the secondary as well?
Cisco ASA 5515, running 9.5(2), so the latest and greatest.
ADSM 7.5(2)153.
It has a certificate that's attached to the outside interface used for SSL VPNs and AnyConnect too I suppose. Certificate was issued by GoDaddy, but expires in the next week or two.
I went to GoDaddy and 'renewed' the certificate (didn't have to generate a CSR or anything) but I just want some clarification on how to apply it? They sent me the certificate as well as the intermediate (I think) file entitled "gd_bundle-g2-g1.crt". I opened that file in notepad and there are actually THREE certificates inside it.
When I navigate on the current ASA to "Certificate Management" and "CA Certificates", the list is empty - there's no certificate in there. I thought that was where the intermediate certificates went, but this has been working for years, with dozens of users connecting daily via VPN so i'm hesitant to do something that's going to break it if not necessary.
In "Identity certificate" (see attachment 1) there are the two certificates - one looks to be self-generated, but it's the godaddy one (that expires Feb 2016) that is in use. Also attaching (see attachment 2) the window that shows what's attached to the interface.
Want to see what I need to do to correctly import (re-generating if necessary) the certificate to ensure no downtime.
Also there are two 5515s connected in failover mode - all work is done on the primary, but want to make sure I don't have to load the certificate on the secondary as well?
Last Comment
Usually, renewing on the issuer does not always work...
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html
Usually, you would need the cert only to replace your existing one.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html
Usually, you would need the cert only to replace your existing one.
ASKER
So rather than just renewing on the issuer (godaddy in this case), it's better to just create a new certificate request from the ASA, copy that to godaddy, get the godaddy generated certificate, and load it onto the ASA?
Any reason we can't use a wildcard certificate for our domain? We have one that has several years until expiry - do wildcard certificates work for ASAs?
Any reason we can't use a wildcard certificate for our domain? We have one that has several years until expiry - do wildcard certificates work for ASAs?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
That discussion doesn't help - it has an open question.
still not sure what process I follow
Please do not paste links - that's not what I'm looking for.
still not sure what process I follow
Please do not paste links - that's not what I'm looking for.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
pic1.png
pic2.png