https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281590#M1077770 <P>@Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178811">@Heino Human</a>&nbsp;</P><P>&nbsp;</P><P>I create the CSR outside FTD (try openSSL) and then import the certificate to FTD</P><P>Check the following guide, I use the PKCS12 option.</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html</A></P> Thu, 28 Jan 2021 18:08:06 GMT Panos Bouras 2021-01-28T18:08:06Z https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281023#M1077729 <P>Hi guys,&nbsp;</P><P>&nbsp;</P><P>I'm a bit confused in why we would use two signed certificates for anyconnect VPN to establish a trust point on the outside interface of the firewall. If look at the below article and follow the steps, it would go like this.&nbsp;</P><P>&nbsp;</P><P>1. Create a CSR on the FTD via CLI</P><P>2. Send it to a CA to be signed&nbsp;</P><P>3. Go to Objects &gt; Object Management &gt; PKI &gt; Cert Enrollment, click on Add Cert Enrollment. Here we add the CA signed certificate (which is the first one)</P><P>4. Then we go to Devices &gt; Certificates &gt; Add &gt; New Certificate. Here we select the cert enrollment we did in step 3, create another CSR to be signed by a CA again.&nbsp;</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html</A>&nbsp;</P><P>&nbsp;</P><P>Am I reading this incorrectly or not understanding the process?&nbsp;</P><P>&nbsp;</P><P>Any insight would be amazing so I can get my head around this.&nbsp;</P><P>&nbsp;</P><P>Thank you</P><P>Heino&nbsp;</P> Thu, 28 Jan 2021 00:01:59 GMT https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281023#M1077729 Heino Human 2021-01-28T00:01:59Z https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281031#M1077731 <P>Hi,</P><P>Step 3 is for upload the certificate signed by the CA, and the step 4 is to assign the certificate (uploaded on step 3) to FTD.</P> Thu, 28 Jan 2021 00:20:12 GMT https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281031#M1077731 Omar Sandoval 2021-01-28T00:20:12Z https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281074#M1077732 <P>Hi Omar,&nbsp;</P><P>&nbsp;</P><P>That is correct, though when you assign the certificate in step 4, a new CSR is raised. Please see the screenshots attached.&nbsp;</P><P>&nbsp;</P><P>Thank you</P><P>Heino&nbsp;</P> Thu, 28 Jan 2021 02:45:16 GMT https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281074#M1077732 Heino Human 2021-01-28T02:45:16Z https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281590#M1077770 <P>@Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178811">@Heino Human</a>&nbsp;</P><P>&nbsp;</P><P>I create the CSR outside FTD (try openSSL) and then import the certificate to FTD</P><P>Check the following guide, I use the PKCS12 option.</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html</A></P> Thu, 28 Jan 2021 18:08:06 GMT https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281590#M1077770 Panos Bouras 2021-01-28T18:08:06Z https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281603#M1077774 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178811">@Heino Human</a>&nbsp;</P> <P>You are getting confused between 2 different methods to import a certificate.</P> <P>&nbsp;</P> <P>|You generate the CSR via openssl from the CLI, sign the certificate and create a PKCS12 file. On the FMC you then you select the Certificate Enrollment type as PKCS12 and import the file (this doesn't generate a new CSR). <A href="https://integratingit.wordpress.com/2018/11/10/ftd-vpn-with-certificates/" target="_self">Example</A></P> <P>&nbsp;</P> <P>Another method is select the Certificate Enrollment type as Manual, import the CA certificate and then generate the CSR and import the signed file. This method does not require you to generate a CSR on the CLI.</P> Thu, 28 Jan 2021 18:24:16 GMT https://community.cisco.com/t5/network-security/ssl-certificates-for-anyconnect-vpn/m-p/4281603#M1077774 Rob Ingram 2021-01-28T18:24:16Z