There are a few reasons why you want to install a multiple domain certificate (UCC certs with multiple SANs) into your ASA. One of the reason is for setting up a VPN cluster, in which case each of your ASA must contain the names of the cluster IP and each of it’s members. Another reason is that you could have multiple ISP connections and would like to present more than one VPN gateway for your remote access anyconnect VPN clients to connect.
One FQDN per CERTIFICATE per interface
Before I go into UCC certs, you may want to know that, the Cisco ASA does support one certificate per each interface. So you DO NOT have to obtain a UCC certificate if you only wish to use one FQDN per each interface. You will need to have one trust point created per each certificate you would like to use.
I’m not going to go into detail on CLI but this can be configured using ASDM 6.4 under configuration -> Remote Access VPN -> Advanced -> SSL Settings -> Certificates -> edit the interface and assign the certificate to the specific interface
More than one FQDN per Certificate (UCC)
Unified Communications Certificate (UCC) allows you to create a single certificate that covers up to 150 domains – subject alternative names (SAN) such as:
In order to obtain a UCC cert, you must create a Certificate Signing request (CSR) with with the SANs that you want to include in that cert. Conventional Cisco tools and commands only allows you to create a (CSR) for single domains. The crypto trustpoint commands only allows you to enter one FQDN for certificate signing. Therefore you must create the CSR externally.
- First of all, before you create a CSR, you must generate a private key. This can be done in the ASA and exported to generate the CSR.
crypto key generate rsa label mykey modulus 2048
- Then you must export this private key. However I have found that there is noway to obtain the private key until you create a certificate key chain, cisco calls this trustpoint, so go ahead and create a new trustpoint for this key.
crypto ca trustpoint mytrustpoint keypair mykey
- Then you have the choice to export this entire trustpoint using the following command:
crypto ca export mytrustpoint pkcs12 password
The ASA will then spit out the entire trustpoint on CLI. You must then copy this onto a text file and give it a name.
- Now comes the hard part. On a system with OPENSSL packages installed (I used Centos), you must then convert this base64 encoded file into PEM format.
openssl base64 -in trustpoint.file -d out trustpoint.pfx openssl pkcs12 -in trustpoint.pfx -info
This command should then ask for the password that you used to protect this trustpoint. Once you enter it in you will then see the private key section in this keychain. Copy and paste the private key section onto another file and name it private.key
- With this private key, you are now able to create a CSR. SAN CSRs cannote be generated using the interactive prompt. In order to create a CSR with multiple SANs, some modification to the openssl.cnf file is neccessary.
Edit the following file located here: /etc/pki/tls/openssl.cnf.
Modify/add the following to the file:
[ req ] req_extensions = v3_req [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = vpn1.domain.com DNS.2 = vpn2.domain.com DNS.3 = xxx.domain.com
In the alt_names section is where you add all SANs you want in your CSR.
- The next step is now to generate the CSR.
openssl req -new -out cert.csr -key private.key
You can verify and view this csr to ensure you have the right SANs by using the following command
openssl req -text -noout -in cert.csr
Once you have verified everything is correct, you are now ready to have your certificate signed by a public CA. I use godaddy as it’s cheap but you can use whichever CA you want that supports UCC certs.
- Back on the ASA, open your certificate file in notepad and copy the contents when prompted for the certificate.
crypto ca import mytrustpoint certificate
You will also need to then enroll your CA cert and any intermediate certificates that come from your CA provider. Enter the following to enroll each certificate individually.
crypto ca authenticate mytrustpoint
I’m not going to go into explaining how you get your cert signed from a CA, but once you have the signed cert you are then ready to move on to the next step of importing this cert back into the trustpoint.
That’s it! You can now use this trustpoint for all those domains you wish to alias onto your ASA interfaces!