We help IT Professionals succeed at work.

Cisco ASA 5515 - How renew SSL certiciate?

1,942 Views
Last Modified: 2016-02-24
Hi
Cisco ASA 5515, running 9.5(2), so the latest and greatest.
ADSM 7.5(2)153.

It has a certificate that's attached to the outside interface used for SSL VPNs and AnyConnect too I suppose.  Certificate was issued by GoDaddy, but expires in the next week or two.

I went to GoDaddy and 'renewed' the certificate (didn't have to generate a CSR or anything) but I just want some clarification on how to apply it?  They sent me the certificate as well as the intermediate (I think) file entitled "gd_bundle-g2-g1.crt".  I opened that file in notepad and there are actually THREE certificates inside it.

When I navigate on the current ASA to "Certificate Management" and "CA Certificates", the list is empty - there's no certificate in there.  I thought that was where the intermediate certificates went, but this has been working for years, with dozens of users connecting daily via VPN so i'm hesitant to do something that's going to break it if not necessary.

In "Identity certificate" (see attachment 1) there are the two certificates - one looks to be self-generated, but it's the godaddy one (that expires Feb 2016) that is in use.  Also attaching (see attachment 2) the window that shows what's attached to the interface.

Want to see what I need to do to correctly import (re-generating if necessary) the certificate to ensure no downtime.

Also there are two 5515s connected in failover mode - all work is done on the primary, but want to make sure I don't have to load the certificate on the secondary as well?
Comment
Watch Question

Author

Commented:
Forgot to upload pictures.  see attached
pic1.png
pic2.png
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Usually, renewing on the issuer does not always work...


http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html

Usually, you would need the cert only to replace your existing one.

Author

Commented:
So rather than just renewing on the issuer (godaddy in this case), it's better to just create a new certificate request from the ASA, copy that to godaddy, get the godaddy generated certificate, and load it onto the ASA?

Any reason we can't use a wildcard certificate for our domain?  We have one that has several years until expiry - do wildcard certificates work for ASAs?
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
That discussion doesn't help - it has an open question.

still not sure what process I follow

Please do not paste links - that's not what I'm looking for.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.