I need to purchase and install a SSL certificate on my Cisco ASA firewall. This will allow my VPN users to connect to my ASA without receiving the certificate error from the untrusted self assigned SSL certificate that is currently on the ASA.
I had good experiences with the SSL certificates that GoDaddy sells. However, I'm concerned about using them. On my web servers I have to also install GoDaddy's "intermediate certificate bundle". On the ASA I do not think that I will be able to preform anything like this. I do not fully understand what the "intermediate certificate bundle" does, but obviously it's important.
So my question is can I use a GoDaddy SSL certificate on an ASA without my users getting any type of warning or error about connecting to a site that using an untrusted SSL certificate. I need this to be as simple as possible for my end users and warning messages are always scary 🙂
Thanks!
Best Answer
I have a GoDaddy (standard, not deluxe) wildcard certificate that I use on my ASA 5510 for ASDM access. ASDM says that "SSL parameters affect both ASDM and SSL VPN access," so if it works for me, it should for you and SSL VPNs.
I did have problems importing a .pem version of my certificate chain. Using a *.pfx (like IIS uses) worked fine.
I grabbed gd_intermediate.crt from https://certs.godaddy.com/Repository.go
In ASDM, Configuration, Device Management, Certificate Management, CA Certificates; click Add, don't change any defaults, install from file, locate the gd_intermediate.crt file.
I also tried loading gd_bundle.crt which some of our certs use and that failed, but since gd_intermediate.crt worked and that's what my wildcard uses, I didn't test any more.
Once the intermediate cert is loaded, go to Identity Certificates (right below CA Certificates) and do something similar (Add, import from file, chose the .pfx file, and enter the password for the .pfx.
Now that the cert is successfully installed, set which interfaces it will be used on. That's under Device Management, Advanced, SSL Settings. Click the interface (probably outside), click Edit, and choose the Trustpoint name of the certificate you added in the last step. Click OK, Apply, and try going to your https://vpn.url and see if it loads the right cert.