nerdexam
Cisco

300-730 · Question #138

Why must a network engineer avoid usage of the default X.509 certificate when implementing clientless SSLVPN on an ASA?

The correct answer is B. The certificate is regenerated at each reboot.. The default X.509 self-signed certificate on a Cisco ASA is regenerated upon each device reboot, making it unsuitable for production SSLVPN deployments.

Remote Access VPN

Question

Why must a network engineer avoid usage of the default X.509 certificate when implementing clientless SSLVPN on an ASA?

Options

  • AThe certificate must be managed by the local CA.
  • BThe certificate is regenerated at each reboot.
  • CThe default X.509 certificate is not supported for SSLVPN.
  • DThe certificate is too weak to provide adequate security.

How the community answered

(43 responses)
  • A
    5% (2)
  • B
    93% (40)
  • D
    2% (1)

Why each option

The default X.509 self-signed certificate on a Cisco ASA is regenerated upon each device reboot, making it unsuitable for production SSLVPN deployments.

AThe certificate must be managed by the local CA.

There is no requirement that the certificate be managed by a local CA - certificates from any trusted CA, including external ones, are valid for SSLVPN on an ASA.

BThe certificate is regenerated at each reboot.Correct

The Cisco ASA generates a new self-signed certificate every time it reboots, which causes the certificate presented to VPN clients to change unexpectedly. This results in browser or client trust errors because the certificate fingerprint no longer matches what was previously accepted. A persistent, administrator-managed certificate from a trusted CA must be used to ensure continuity and client trust.

CThe default X.509 certificate is not supported for SSLVPN.

The default X.509 certificate type itself is technically supported for SSLVPN; the problem is its ephemeral nature due to regeneration on reboot, not a lack of support.

DThe certificate is too weak to provide adequate security.

The default self-signed certificate uses an adequate key length and algorithm; the issue is its instability across reboots, not cryptographic weakness.

Concept tested: ASA default self-signed certificate lifecycle for SSLVPN

Source: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-ssl.html

Topics

#X.509 certificate#clientless SSLVPN#PKI#ASA

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice