300-730 · Question #138
Why must a network engineer avoid usage of the default X.509 certificate when implementing clientless SSLVPN on an ASA?
The correct answer is B. The certificate is regenerated at each reboot.. The default X.509 self-signed certificate on a Cisco ASA is regenerated upon each device reboot, making it unsuitable for production SSLVPN deployments.
Question
Options
- AThe certificate must be managed by the local CA.
- BThe certificate is regenerated at each reboot.
- CThe default X.509 certificate is not supported for SSLVPN.
- DThe certificate is too weak to provide adequate security.
How the community answered
(43 responses)- A5% (2)
- B93% (40)
- D2% (1)
Why each option
The default X.509 self-signed certificate on a Cisco ASA is regenerated upon each device reboot, making it unsuitable for production SSLVPN deployments.
There is no requirement that the certificate be managed by a local CA - certificates from any trusted CA, including external ones, are valid for SSLVPN on an ASA.
The Cisco ASA generates a new self-signed certificate every time it reboots, which causes the certificate presented to VPN clients to change unexpectedly. This results in browser or client trust errors because the certificate fingerprint no longer matches what was previously accepted. A persistent, administrator-managed certificate from a trusted CA must be used to ensure continuity and client trust.
The default X.509 certificate type itself is technically supported for SSLVPN; the problem is its ephemeral nature due to regeneration on reboot, not a lack of support.
The default self-signed certificate uses an adequate key length and algorithm; the issue is its instability across reboots, not cryptographic weakness.
Concept tested: ASA default self-signed certificate lifecycle for SSLVPN
Source: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-ssl.html
Topics
Community Discussion
No community discussion yet for this question.