Meraki

Community

Custom SSL Certificate questions for MX75

JRW_techlady
New here
8 hours ago
8 hours ago

Custom SSL Certificate questions for MX75

New user of Meraki MX75 ASA here.  We had Cisco Secure Client VPNs set up on our ASA 5516 that the MX75 replaced which required getting an SSL cert from a CA for our subdomain, webvpn.domain.org, applying that SSL cert to our ASA, and adding an A record pointing that domain to the public IP on the outside interface of the ASA in our public DNS records which are hosted.  Trying to duplicate that setup on the MX75 to avoid certificate errors.  If I go through the process of getting a CSR from Meraki and applying the SSL cert files for the subdomain, do I need any kind of entry in our hosted public DNS?  Or does the old A record simply need to be removed and Meraki now handles these VPN DNS requests to access our subdomain?  I cannot find any real documentation to clarify.  Anyone know?  Any other gotchas I need to be aware of?   Thanks in advance.

Labels:
0 Kudos
4 Replies 4
rhbirkelund
Kind of a big deal
Kind of a big deal
7 hours ago
7 hours ago

Updating the DNS A record to the new WAN IP of the MX75 should be enough. 

 

Remember, if you have MX'es in Warm Spare, you'll need to sign a certificate for the Spare MX as well, since it is device specific. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
JRW_techlady
New here
5 hours ago
5 hours ago

Thanks for the reply.  In order for this to work, will I need to put the public IP in the CSR request as a SubjectAltName?  I watched a YouTube video that showed that's how they did it.  I really would like this to work on the first attempt.  Or, does Meraki automatically send the request to the configured public IP (WAN uplink) on the device?  No warm spare - just a single MX75 for a small network.  Thanks for your help.

0 Kudos
In response to JRW_techlady
PhilipDAth
Kind of a big deal
Kind of a big deal
an hour ago
an hour ago

If you really want to do this - and I advise you against doing it - follow the custom certificate procedure in this document.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
an hour ago
an hour ago

While you can do that - it is not something that is typically done anymore.

 

The Meraki MX will automatically install and renew certificates configured using its DDNS name.  As long as your AnyConnect clients use that - you never have to touch certificates again.

https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS)

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.