Cisco Cisco ASA 5580 Adaptive Security Appliance Manuale Tecnico
case there are two options to generate the CSR Via the CLI or ASDM. When the CSR is
submitted to the CA, add in the multiple SANs on the CA portal itself.Use OpenSSL in order
to generate the CSR and include the multiple SANs in the openssl.cnf file as shown in this
section.Once the CSR has been submitted to the CA and the certificate generated, import
this PEM certificate to the ASA that generated the CSR. Once done, export and import this
certificate in the PKCS12 format onto the other member ASAs as shown in the previous
question.
Use a Wildcard certificate. This is a less secure and flexible method when compared to using
a UC certificate. In the case that the CA does not support UC certificates, a CSR can be
generated either on the CA or with OpenSSL where the FQDN is on the form of
*.domain.com. Once the CSR has been submitted to the CA and the certificate generated,
import the PKCS12 certificate to all the ASAs in the cluster.
submitted to the CA, add in the multiple SANs on the CA portal itself.Use OpenSSL in order
to generate the CSR and include the multiple SANs in the openssl.cnf file as shown in this
section.Once the CSR has been submitted to the CA and the certificate generated, import
this PEM certificate to the ASA that generated the CSR. Once done, export and import this
certificate in the PKCS12 format onto the other member ASAs as shown in the previous
question.
Use a Wildcard certificate. This is a less secure and flexible method when compared to using
a UC certificate. In the case that the CA does not support UC certificates, a CSR can be
generated either on the CA or with OpenSSL where the FQDN is on the form of
*.domain.com. Once the CSR has been submitted to the CA and the certificate generated,
import the PKCS12 certificate to all the ASAs in the cluster.
2.
Use a separate certificate for each of the member ASAs and the for the load-balancing
FQDN. This is the least effective solution. The certificates for each of the individual ASAs can
be created as shown in this document. The certificate for the VPN Loadbalancing FQDN will
be created on one ASA and exported and imported as a PKCS12 certificate onto the other
ASAs.
FQDN. This is the least effective solution. The certificates for each of the individual ASAs can
be created as shown in this document. The certificate for the VPN Loadbalancing FQDN will
be created on one ASA and exported and imported as a PKCS12 certificate onto the other
ASAs.
3.
3. Do the certificates need to copied from the Primary ASA to the Secondary
ASA in an ASA failover pair?
ASA in an ASA failover pair?
There is no need to manually copy the certificates from the Primary to Secondary ASA as the
certificates should be synced between the ASAs as long as Stateful Failover is configured. If on
initial setup of failover, the certificates are not seen on the Standby device, issue the
command write standby in order to force a sync.
certificates should be synced between the ASAs as long as Stateful Failover is configured. If on
initial setup of failover, the certificates are not seen on the Standby device, issue the
command write standby in order to force a sync.
4. If ECDSA keys are used, is the SSL certificate generation process different?
The only difference in configuration is the keypair generation step, where an ECDSA keypair will
be generated instead of an RSA keypair. The rest of the steps remain the same. The CLI
command for generating ECDSA keys are show below:
be generated instead of an RSA keypair. The rest of the steps remain the same. The CLI
command for generating ECDSA keys are show below:
MainASA(config)# cry key generate ecdsa label SSL-Keypair elliptic-curve 256
INFO: The name for the keys will be: SSL-Keypair
Keypair generation process begin. Please wait...
Troubleshoot
Troubleshooting Commands
These debug commands are to be collected on the CLI in the case of an SSL Certificate
Installation failure:
Installation failure:
debug crypto ca 255
debug crypto ca messages 255
debug crypto ca transactions 255
Common Issues
Untrusted certificate warning when using a valid third-party SSL certificate on the external