Wednesday, January 06, 2010

ASA/PIX PKI implementation. Mupliple trustpoints considerations.

Not sure if Cisco documents it anywhere, but here goes.

What happens if you have multiple trustpoints defined on the ASA.

When a certificate is presented to the ASA, the appliance can use ANY trust point configured on the device and will use first one matching provided client type is matching.

You cannot change this behavior, except for specifying different certificate usage:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2124040

You do however have control over which certificate is being SENT to the peers, this is what you configure under tunnel-groups and ssl CLIs.

No comments: