Why must a network engineer avoid usage of the default X509 certificate when implementing clientless SSLVPN on an ASA?

Why must a network engineer avoid usage of the default X509 certificate when implementing clientless SSLVPN on an ASA?
A. The certificate is too weak to provide adequate security.
B. The certificate is regenerated at each reboot.
C. The certificate must be managed by the local CA.
D. The default X.509 certificate is not supported for SSLVPN.

cisco-exams

3 thoughts on “Why must a network engineer avoid usage of the default X509 certificate when implementing clientless SSLVPN on an ASA?

  1. B is the correct
    Note: By default, the ASA generates a self-signed X.509 certificate upon startup. This certificate is used in order to serve client connections by default. It is not recommended to use this certificate because its authenticity cannot be verified by the browser. Furthermore, this certificate is regenerated upon each reboot so it changes after each reboot.
    https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html

  2. B is the correct answer. The certificate used for SSL VPN doesn’t HAVE to be managed by any local CA. It can be the default certificate, but if it is – the will be re-generated on each reboot.

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.