topic Re: Using FMC GUI to replace RA VPN Certificate in Network Security

Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 15:30:47 GMT

Hi everyone.

I'm replacing the SSL cert for our RA VPN. I've used the GUI because I'm not much of a Linux guy and I'm fairly new to Cisco stuff. I have a pair of 5525s with the FMC virtual appliance. I used the FMC GUI to generate a CSR but the interface timed out before I got the response back. If I click the option to Enroll the identity certificate, it wants to start from scratch with a new CSR. How do I get it to accept the certificate I got from GoDaddy?

Thanks for any help you can offer.

Derek

Re: Using FMC GUI to replace RA VPN Certificate

Rob Ingram — Thu, 26 Mar 2020 16:07:58 GMT

Hi,
When you generate the CSR you should be able to safely close the screen and then return later to import the signed certificate. If you closed the screen and re-entered it later, it might say that it's going to regenerate a CSR but I've tested, it doesn't, it's the same CSR. You should be able to successfully import the signed identity certificate from godaddy.

HTH

Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 16:28:41 GMT

Thanks. I'll try that right now and report back!

Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 16:40:38 GMT

No luck. What format should this certificate be in? Maybe I need to convert it first?

Re: Using FMC GUI to replace RA VPN Certificate

Rob Ingram — Thu, 26 Mar 2020 16:51:14 GMT

I've never had a problem importing an identity certicate in PEM format....these are prefixed with a “—–--- BEGIN …” line and end with "------ END CERTIFICATE---".

What format is your cerificate in? If not PEM then yes perhaps convert to PEM.

HTH

Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 17:25:54 GMT

I'm trying the PEM again right now. It's possible I may have misselected the first time because it's taking a lot longer this time. I'll let it spin for a bit before I refresh.

Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 17:51:53 GMT

No dice. It was still spinning when I got back to it so I hit Refresh. It's back to "Identity certificate import required." So I tried the PEM file once more and this time it quickly returned to the same message.

Re: Using FMC GUI to replace RA VPN Certificate

Rob Ingram — Thu, 26 Mar 2020 17:57:50 GMT

Is the file just the identity certificate certificate or the entire chain?
I assume the FTD you are applying the certificate to is actually online? If it's turned off then you cannot import the certificate.

Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 18:28:17 GMT

Just the identity certificate. I was able to successfully upload the CA chain but it won't take the identity cert. I can't create a PKCS12 file because the interface doesn't give me access to the key used.

Re: Using FMC GUI to replace RA VPN Certificate

Rob Ingram — Thu, 26 Mar 2020 18:34:22 GMT

What enrollment type did you use? Manual?

You might have to just start again and re-submit to the CA.

Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 18:37:41 GMT

Really hoping to avoid that as I've already reissued once, and I think GoDaddy only allows two! Man I hate these things.

Re: Using FMC GUI to replace RA VPN Certificate

Rob Ingram — Thu, 26 Mar 2020 18:59:18 GMT

Which version of FMC are you using?

What enrolment type did you use?

Just so we are on the right wave length, these are the steps that work:-

If using manual, you import the root certificate

Define the certificate parameters.

Click Save

Navigate to Devices > Certificates

Click Add

From the Device drop-down list select your device

From the Cert Enrollment drop-down list selectthe certificate enrolment

Click the ID button

Generate the CSR

Copy the contents of the CSR and send to GoDaddy to sign the certificate

Browse identity certificate to import the signed identity certifcate

Is that the steps you followed?

HTH

Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek — Thu, 26 Mar 2020 19:11:35 GMT

Yes, that's exactly what I did. I'm using FMC 6.5 on a pair of 5525s.