Meraki

Community

AnyConnect with custom hostname certificates

Solved
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 4:10 AM
‎Mar 18 2022 4:10 AM

AnyConnect with custom hostname certificates

Hi all,

 

has anyone already used the new option to work with own certificates?

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Custom_hostname_certificates

 

I have not contacted support yet to enable the feature because I don't know if it works for my use case.

When looking at the screenshots, it seems that the only option is to generate the CSR in the dashboard and import the certificate and chain.

I need the option to import the certificate including the key without generating a new CSR. The certificates already exists, and for one environment it also has to be a wildcard certificate.

 

Anyone who tested it and can report if that is also possible?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Labels:
0 Kudos
1 Accepted Solution
In response to KarstenI
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 12:52 PM
‎Mar 18 2022 12:52 PM

You'll have to generate two separate CSRs, so there will be two different private keys and therefore two separate certificates in the end.

View solution in original post

0 Kudos
9 Replies 9
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 4:27 AM
‎Mar 18 2022 4:27 AM

I just learned that is possible now. Thanks for that, unfortunately, I don't have an answer (yet). 😉

0 Kudos
Inderdeep
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 4:33 AM
‎Mar 18 2022 4:33 AM

@KarstenI : Thanks for the update !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 6:12 AM
‎Mar 18 2022 6:12 AM

First of all: existing certs cannot be used, you'll have to create the CSR to use this feature.

 

I'll try Wildcard certificate support this weekend and give an update.

In response to CptnCrnch
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 7:00 AM
‎Mar 18 2022 7:00 AM

This also is questionable:

Custom certs is supported in High Availability mode. Adminstrators are required to download CSRs and upload certificates for both Primary and Spare MX Appliances with the custom certs Primary | Spare tab only visible when the MX Appliance is in High Availability mode.

Do we really need two certificates and can not use one on both MXes?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 12:52 PM
‎Mar 18 2022 12:52 PM

You'll have to generate two separate CSRs, so there will be two different private keys and therefore two separate certificates in the end.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 2:25 PM
‎Mar 18 2022 2:25 PM

Well, seems that this feature is not yet for me. I’ll look at it again when it reaches GA.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 6:28 PM
‎Mar 18 2022 6:28 PM

Meraki has a strict security policy that secret keys may not transit through their network.  As a result, you can not upload a certificate with a private key.

It is also the reason why you have to create two certificates for an HA pair.  The private key on each may not leave the device and transit any network.

 

I only ever use the DDNS name now as I don't want to have to deal with renewing certificates.  Simply create an AnyConnect Profile that displays a nice name (like "Company A"), so your users never need to use DNS.  Easy peasy.  Now the actual DNS name used is no longer important.

https://www.ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html 

In response to PhilipDAth
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2022 2:35 AM
‎Mar 19 2022 2:35 AM

I didn’t know of this security policy by now. And with that, we will likely never see a Cert/key import. It had been nice for all the ASA -> MX migrations where the profile with the FQDN is already rolled out. Then I am hoping for a future Let’s Encrypt integration.

 

For now I will continue with the approach of adding an additional entry to the profile that gets pushed from the ASA, and when all profiles are pushed to tell the users to use the new entry which points to the MX.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 19 2022 2:26 PM
‎Mar 19 2022 2:26 PM

>For now I will continue with the approach of adding an additional entry to the profile that gets pushed from the ASA, and when all profiles are pushed to tell the users to use the new entry which points to the MX.

 

That is exactly what I do.  And then once done you can upgrade the profile again to remove the original old entry.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.