Implementing Secure Solutions with Virtual Private Networks (SVPN) — Question 81

An engineer is requesting an SSL certificate for a VPN load-balancing cluster in which two Cisco ASAs provide clientless SSLVPN access. The FQDN that users will enter to access the clientless VPN is asa.example.com, and users will be redirected to either asa1.example.com or asa2.example.com. The cluster FQDN and individual Cisco ASAs FQDNs resolve to IP addresses 192.168.0.1, 192.168.0.2, and 192.168.0.3 respectively. The issued certificate must be able to be used to validate the identity of either ASA in the cluster without returning any certificate validation errors. Which fields must be included in the certificate to meet these requirements?

Answer options

• A. CN=*.example.com, SAN=asa.example.com
• B. CN=192.168.0.1, SAN=asa1.example.com, asa2.example.com
• C. CN=asa.example.com, SAN=asa.example.com, asa1.example.com, asa2.example.com
• D. CN=192.168.0.1, SAN=192.168.0.1, 192.168.0.2, 192.168.0.3

Correct answer: C

Explanation

The correct answer is C because it includes the cluster FQDN and all relevant individual FQDNs in the Subject Alternative Name (SAN) field, ensuring that the certificate can validate connections to any of the ASAs. Option A is incorrect as the wildcard does not cover individual FQDNs needed here. Option B fails to include the cluster FQDN, and option D lacks the required FQDN format for SSL validation, focusing only on IP addresses.