Meraki

Community

Custom SSL Certificate questions for MX75

JRW_techlady
New here
Tuesday
Tuesday

Custom SSL Certificate questions for MX75

New user of Meraki MX75 ASA here.  We had Cisco Secure Client VPNs set up on our ASA 5516 that the MX75 replaced which required getting an SSL cert from a CA for our subdomain, webvpn.domain.org, applying that SSL cert to our ASA, and adding an A record pointing that domain to the public IP on the outside interface of the ASA in our public DNS records which are hosted.  Trying to duplicate that setup on the MX75 to avoid certificate errors.  If I go through the process of getting a CSR from Meraki and applying the SSL cert files for the subdomain, do I need any kind of entry in our hosted public DNS?  Or does the old A record simply need to be removed and Meraki now handles these VPN DNS requests to access our subdomain?  I cannot find any real documentation to clarify.  Anyone know?  Any other gotchas I need to be aware of?   Thanks in advance.

Labels:
0 Kudos
8 Replies 8
rhbirkelund
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Updating the DNS A record to the new WAN IP of the MX75 should be enough. 

 

Remember, if you have MX'es in Warm Spare, you'll need to sign a certificate for the Spare MX as well, since it is device specific. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
JRW_techlady
New here
Tuesday
Tuesday

Thanks for the reply.  In order for this to work, will I need to put the public IP in the CSR request as a SubjectAltName?  I watched a YouTube video that showed that's how they did it.  I really would like this to work on the first attempt.  Or, does Meraki automatically send the request to the configured public IP (WAN uplink) on the device?  No warm spare - just a single MX75 for a small network.  Thanks for your help.

0 Kudos
In response to JRW_techlady
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

If you really want to do this - and I advise you against doing it - follow the custom certificate procedure in this document.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

While you can do that - it is not something that is typically done anymore.

 

The Meraki MX will automatically install and renew certificates configured using its DDNS name.  As long as your AnyConnect clients use that - you never have to touch certificates again.

https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS)

 

0 Kudos
JRW_techlady
New here
7 hours ago
7 hours ago

Sorry for the late reply.  I've been further investigating pros and cons and am still unsure.

 

1.  I realize that using the DDNS name is easiest.  However, we only have a handful of users already connecting using the Secure client on company issued laptops via the subdomain for a long time now with our old ASA.  The DDNS name is long and hard to remember and I have to retrain users.

 

2.  We do not have a profile push set up to change that in the profile (which I read about doing), and are using manually created Meraki auth for them to connect so that would be more for me to figure out.

 

3.  I have an existing SSL cert from godaddy for the subdomain that I can request a re-key for with a CSR from Meraki so I can go through the custom cert process.  The existing cert is valid for some time yet.

 

Even if it's not typical, the custom certificate option seems the best for us, but I could be wrong.  Pros? Cons? Gotchas?

 

And per my original question, IF I do that, what and how does this affect my public DNS record?  Still an A record for the subdomain for my outside IP?  Or, a CNAME record to something at Meraki?  Or, no record needed there at all?

 

Thanks!

0 Kudos
In response to JRW_techlady
PhilipDAth
Kind of a big deal
Kind of a big deal
7 hours ago
7 hours ago

>CNAME record to something at Meraki?

 

I would make it a CNAME to the Meraki DDNS record.

0 Kudos
In response to PhilipDAth
JRW_techlady
New here
6 hours ago
6 hours ago

To be honest, that's what I currently have in place (thinking that would work), but obviously, Meraki picks up on that somehow and returns a certificate error to users that it's not a secure connection.  Right now, they are having to click through a 'connect anyway' prompt.  So, I was hoping that doing the custom certificate setup and having my DNS record put back to an A record pointing to our outside IP would resolve.  But, maybe not?  I frankly was very surprised that the error appeared.  When we tested and manually entered the DDNS name, it worked without error.

 

Thanks  again for your response.  I'm headed home, so if you reply to this, I'll see it tomorrow. 🙂

0 Kudos
In response to JRW_techlady
PhilipDAth
Kind of a big deal
Kind of a big deal
4 hours ago
4 hours ago

A custom certificate will resolve that issue.

 

I still think it is easier to get users to connect to the DDNS name ...

 

You can use this tool to create a custom profile:

https://ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html

 

And then load that into the Meraki Dashboard.  The first time users connect using the old DNS name, they'll get the error and download the profile.  The second time they connect, they'll see your profile and won't get an error.

 

You can also manually copy the profile to their machines.  The directory locations is in the link above.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.