AnyConnect with custom hostname certificates

SOLVED
KarstenI
Kind of a big deal
Kind of a big deal

AnyConnect with custom hostname certificates

Hi all,

 

has anyone already used the new option to work with own certificates?

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Custom_hostname_certificates

 

I have not contacted support yet to enable the feature because I don't know if it works for my use case.

When looking at the screenshots, it seems that the only option is to generate the CSR in the dashboard and import the certificate and chain.

I need the option to import the certificate including the key without generating a new CSR. The certificates already exists, and for one environment it also has to be a wildcard certificate.

 

Anyone who tested it and can report if that is also possible?

1 ACCEPTED SOLUTION
CptnCrnch
Kind of a big deal
Kind of a big deal

You'll have to generate two separate CSRs, so there will be two different private keys and therefore two separate certificates in the end.

View solution in original post

9 REPLIES 9
CptnCrnch
Kind of a big deal
Kind of a big deal

I just learned that is possible now. Thanks for that, unfortunately, I don't have an answer (yet). 😉

Inderdeep
Kind of a big deal
Kind of a big deal

@KarstenI : Thanks for the update !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
CptnCrnch
Kind of a big deal
Kind of a big deal

First of all: existing certs cannot be used, you'll have to create the CSR to use this feature.

 

I'll try Wildcard certificate support this weekend and give an update.

KarstenI
Kind of a big deal
Kind of a big deal

This also is questionable:

Custom certs is supported in High Availability mode. Adminstrators are required to download CSRs and upload certificates for both Primary and Spare MX Appliances with the custom certs Primary | Spare tab only visible when the MX Appliance is in High Availability mode.


Do we really need two certificates and can not use one on both MXes?

CptnCrnch
Kind of a big deal
Kind of a big deal

You'll have to generate two separate CSRs, so there will be two different private keys and therefore two separate certificates in the end.

KarstenI
Kind of a big deal
Kind of a big deal

Well, seems that this feature is not yet for me. I’ll look at it again when it reaches GA.

PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki has a strict security policy that secret keys may not transit through their network.  As a result, you can not upload a certificate with a private key.

It is also the reason why you have to create two certificates for an HA pair.  The private key on each may not leave the device and transit any network.

 

I only ever use the DDNS name now as I don't want to have to deal with renewing certificates.  Simply create an AnyConnect Profile that displays a nice name (like "Company A"), so your users never need to use DNS.  Easy peasy.  Now the actual DNS name used is no longer important.

https://www.ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html 

KarstenI
Kind of a big deal
Kind of a big deal

I didn’t know of this security policy by now. And with that, we will likely never see a Cert/key import. It had been nice for all the ASA -> MX migrations where the profile with the FQDN is already rolled out. Then I am hoping for a future Let’s Encrypt integration.

 

For now I will continue with the approach of adding an additional entry to the profile that gets pushed from the ASA, and when all profiles are pushed to tell the users to use the new entry which points to the MX.

PhilipDAth
Kind of a big deal
Kind of a big deal

>For now I will continue with the approach of adding an additional entry to the profile that gets pushed from the ASA, and when all profiles are pushed to tell the users to use the new entry which points to the MX.

 

That is exactly what I do.  And then once done you can upgrade the profile again to remove the original old entry.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels