We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 617 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


374 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Rene,
    Well done with this post, please post more article with this kind.
    Thank you

  2. Rene,
    Thanks for the presentation, great info as always…

    What would be the advantages of changing my current ASA VPN Pre-Shared Keys to Certificates?

    I am kind of new to certificates, so what would be the process for my customers who connect with PSK VPNs? Would they need to provide me certificate from a trusted CA for my ASA, and I would provide them a certificate as well?

    If i have a couple hundred VPNs, can i provide the same certificate to every customer, or is that not a best practice?

    Thanks again for all the great tutorials.

  3. Hi Brian,

    Security-wise, the public/private key of a certificate are typically longer than a pre-shared key.

    If you want to use certificates then both devices will have to trust the same root CA. You could use your own CA like I did with this example and sign two certificates. One for your firewall and one for the customer. Since both devices trust the CA, they will trust each other’s certificate.

    This is the main advantage of using certificates. For example, let’s say you have 100 customers that build a VPN to your main office’s firewall. If you want to add an extra firewall that the customers could connect to then you have to configure 100 pre-shared keys for all 100 customers so connect to the second firewall. You could use the same pre-shared key everywhere but that means once the key is compromised, you have to replace it everywhere…not a good idea!

    When you use certificates, you only have to add a new certificate to the second firewall. Since the customers trust the CA, they will trust the certificate of the second firewall automatically.

    You could use the same certificate, it’s even possible to use a “wildcard” certificate but that’s not a good idea. It’s the same as using the same pre-shared key everywhere. Once the key (or certificate) is compromised, you’ll have to replace it. Replacing a key/certificate on 2 devices is no problem but for 100 devices it might be a pain :slight_smile:

    It might be helpful to see this in action. You can use my example to build a CA with OpenSSL and then use 2-3 firewalls to build a VPN that uses the certificates.

    Hope this helps!


  4. HI my friend.

    I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available the vpn will failed? what happen if reload one of the peers? it was only available at the moment of enrolling and authenticating certificates, could you explain me please?

  5. Hello Brian

    The use of a hostname is essentially there to make your life easier. According to Cisco: “Assigning a hostname identifies the host for subsequent enrollment commands, additional configuration, and provides flexibility in case the IP address of the CA server changes.”

    Yes. If you change ASA hostname it will invalidate your current certificates and you’ll need to regenerate them after the name change. If you have end devices or a site-to-site VPN that relies on certificates, those connections will fail until you regenerate and re-establish the connection.

    No. The names are locally significant as far as the creation of certificates is concerned.

    I hope this has been helpful!


3 more replies! Ask a question or join the discussion by visiting our Community Forum