topic Re: ASA 5506 Firepower Module Certificate in Network Security

ASA 5506 Firepower Module Certificate

benkelly`8 — Tue, 12 Mar 2019 14:01:51 GMT

Hi All

Really struggling to find an answer to this which is strange.

Weve got got a couple of ASA’s with Firepower module on.

the firewalls themselves have got Certs installed from m our CA so we don’t get cert warnings. However I’m still getting a warning because the Firepower module isnusing a self signed cert.

i don’t want to go around admin stations installing this cert as that’s time consuming and in any case I’d rather it was usong

one of ours.

does anyone know how to add a cert to Firepower from Windows CA?

what should the subject be for this cert. at the moment it’s Firepower, should it be the same or follow our naming convention?

Re: ASA 5506 Firepower Module Certificate

Ajay Saini — Sun, 14 Oct 2018 06:05:00 GMT

Hello,

You can install the certificate on ASA from CA to be used for firepower using below link. This uses CSR:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Or you can install the certificate directly from windows CA:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71050-ASA-cert.html

HTH

Re: ASA 5506 Firepower Module Certificate

Marvin Rhoads — Sun, 14 Oct 2018 08:11:47 GMT

The only time I can think of that you would be accessing a Firepower service module via TLS is when you are doing local management with ASDM. Is that where you are seeing errors? I've not seen such an error the few times I've managed a module with ASDM.

If you want to add a certificate to the module itself you should be able to do so following this procedure:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/asa-fp-services/asa-with-firepower-services-local-management-configuration-guide-v623/Managing-Objects.html?bookSearch=true#28976

I believe ASDM will be requesting information from the module using the module's IP address (vs. FQDN) so the address would need to be at least a SAN (if not the CN) in the certificate.

Re: ASA 5506 Firepower Module Certificate

erickflamenco — Tue, 10 Dec 2019 22:12:06 GMT

How to do this using SSH, as the Firepower ASDM onbox management it´s not available, since the Sourcefire3d certificate its unknown for ASDM host?

Re: ASA 5506 Firepower Module Certificate

Marvin Rhoads — Wed, 11 Dec 2019 05:38:07 GMT

Can't you allow/accept the self-signed certificate on one workstation - just enough to be able to then go int via ASM and update it using the documented GUI procedure mentioned earlier?

If you cannot, then I would suggest opening a TAC case as there's not (as far as I know) a supported procedure for customer's doing it via the cli.