Avatar of Mystical_Ice
Mystical_Ice asked on

Cisco ASA 5515 - How renew SSL certiciate?

Hi
Cisco ASA 5515, running 9.5(2), so the latest and greatest.
ADSM 7.5(2)153.

It has a certificate that's attached to the outside interface used for SSL VPNs and AnyConnect too I suppose.  Certificate was issued by GoDaddy, but expires in the next week or two.

I went to GoDaddy and 'renewed' the certificate (didn't have to generate a CSR or anything) but I just want some clarification on how to apply it?  They sent me the certificate as well as the intermediate (I think) file entitled "gd_bundle-g2-g1.crt".  I opened that file in notepad and there are actually THREE certificates inside it.

When I navigate on the current ASA to "Certificate Management" and "CA Certificates", the list is empty - there's no certificate in there.  I thought that was where the intermediate certificates went, but this has been working for years, with dozens of users connecting daily via VPN so i'm hesitant to do something that's going to break it if not necessary.

In "Identity certificate" (see attachment 1) there are the two certificates - one looks to be self-generated, but it's the godaddy one (that expires Feb 2016) that is in use.  Also attaching (see attachment 2) the window that shows what's attached to the interface.

Want to see what I need to do to correctly import (re-generating if necessary) the certificate to ensure no downtime.

Also there are two 5515s connected in failover mode - all work is done on the primary, but want to make sure I don't have to load the certificate on the secondary as well?
CiscoHardware FirewallsSSL / HTTPSVPN

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
ASKER
Mystical_Ice

Forgot to upload pictures.  see attached
pic1.png
pic2.png
arnold

Usually, renewing on the issuer does not always work...


http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html

Usually, you would need the cert only to replace your existing one.
ASKER
Mystical_Ice

So rather than just renewing on the issuer (godaddy in this case), it's better to just create a new certificate request from the ASA, copy that to godaddy, get the godaddy generated certificate, and load it onto the ASA?

Any reason we can't use a wildcard certificate for our domain?  We have one that has several years until expiry - do wildcard certificates work for ASAs?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
arnold

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Mystical_Ice

That discussion doesn't help - it has an open question.

still not sure what process I follow

Please do not paste links - that's not what I'm looking for.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.