https://community.cisco.com/t5/network-security/firepower-2100-series-https-certificate-expired/m-p/4179689#M1075548 <P>Hi Marvin,</P><P>&nbsp;</P><P>Thank you for your reply.</P><P>&nbsp;</P><P>Yes, i opened a TAC case in the end.</P><P>TAC mentioned that FTD is being managed by the FMC hence this http service is not used anywhere.<BR />Hence we do not have an option to make any changes on this certificate.<BR />However if you use on-box management or FDM to manage the FTD then yes you should be able to change the certificate and also the validity time.</P><P>&nbsp;</P><P>So there is no way to change the FXOS keyring for 2100 series.</P><P>I then use the email to get the management to&nbsp;<SPAN>accept the risk.</SPAN></P> Fri, 06 Nov 2020 01:50:26 GMT benong1989 2020-11-06T01:50:26Z https://community.cisco.com/t5/network-security/firepower-2100-series-https-certificate-expired/m-p/4156404#M1074173 <P>Hi All,</P><P>&nbsp;</P><P>My firepower2130 is running on FTD 6.4.0.9</P><P>One day, the VAPT scan detected Certificate has Expired, and i found out its the https certificate.</P><P>and this certificate is located in the FXOS. unlike those you can set in FMC &gt; devices &gt; certificates</P><P>&nbsp;</P><P>So as it is running FTD, i am not able to use the FXOS cli "commit-buffer", and to renew the certificate, based on this bug ID, i need to use this command instead.</P><P><A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCvk26612" target="_blank" rel="noopener">https://quickview.cloudapps.cisco.com/quickview/bug/CSCvk26612</A></P><PRE>system support regenerate-security-keyring</PRE><P>&nbsp;</P><P>However this renew the certificate with 10 years period, but our policy only allows 5 years max.</P><P>Anyone knows how can i create a new keyring or change the keyring period to 5 years?</P><P>As i an unable to "commit-buffer", i cannot create a new one in FXOS.</P><P>&nbsp;</P> Thu, 24 Sep 2020 08:35:29 GMT https://community.cisco.com/t5/network-security/firepower-2100-series-https-certificate-expired/m-p/4156404#M1074173 benong1989 2020-09-24T08:35:29Z https://community.cisco.com/t5/network-security/firepower-2100-series-https-certificate-expired/m-p/4157033#M1074202 <P>I'd suggest opening a TAC case on this one. You may need to create a private key and CSR and import a CA-signed certificate using an external tool (openssl, xca etc.).</P> <P>Or just write a compensating control / accept the risk of the expired certificate that you don't use anyway.</P> Fri, 25 Sep 2020 07:32:35 GMT https://community.cisco.com/t5/network-security/firepower-2100-series-https-certificate-expired/m-p/4157033#M1074202 Marvin Rhoads 2020-09-25T07:32:35Z https://community.cisco.com/t5/network-security/firepower-2100-series-https-certificate-expired/m-p/4179689#M1075548 <P>Hi Marvin,</P><P>&nbsp;</P><P>Thank you for your reply.</P><P>&nbsp;</P><P>Yes, i opened a TAC case in the end.</P><P>TAC mentioned that FTD is being managed by the FMC hence this http service is not used anywhere.<BR />Hence we do not have an option to make any changes on this certificate.<BR />However if you use on-box management or FDM to manage the FTD then yes you should be able to change the certificate and also the validity time.</P><P>&nbsp;</P><P>So there is no way to change the FXOS keyring for 2100 series.</P><P>I then use the email to get the management to&nbsp;<SPAN>accept the risk.</SPAN></P> Fri, 06 Nov 2020 01:50:26 GMT https://community.cisco.com/t5/network-security/firepower-2100-series-https-certificate-expired/m-p/4179689#M1075548 benong1989 2020-11-06T01:50:26Z