https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650080#M1091828 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256705">@Chess Norris</a> <A href="https://integratingit.wordpress.com/2019/09/28/asa-export-import-certificate/" target="_self">here</A> is a guide to export the ASA certificate to PKCS12 file. On the FTD you just need to import the PKCS12 file.</P> Thu, 14 Jul 2022 07:28:29 GMT Rob Ingram 2022-07-14T07:28:29Z https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650072#M1091827 <P>Hi,</P> <P>I'm migrating a multi-context ASA with both identity and CA certificates to a FTD and I wonder what would be the best way to export those certificates from the ASA and then import them to a FTD? I have access to both CLI and ASDM on the ASA, but would prefere using the CLI. In ASDM there is an option to export identity certificates, but not the CA certificates so I guess I need to use a different methods for those?</P> <P>Thanks</P> <P>/Chess&nbsp;</P> Thu, 14 Jul 2022 07:19:52 GMT https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650072#M1091827 Chess Norris 2022-07-14T07:19:52Z https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650080#M1091828 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256705">@Chess Norris</a> <A href="https://integratingit.wordpress.com/2019/09/28/asa-export-import-certificate/" target="_self">here</A> is a guide to export the ASA certificate to PKCS12 file. On the FTD you just need to import the PKCS12 file.</P> Thu, 14 Jul 2022 07:28:29 GMT https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650080#M1091828 Rob Ingram 2022-07-14T07:28:29Z https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650085#M1091829 <P>Thanks for the quick reply. I'll take a look at this guide.</P> <P>/Chess</P> Thu, 14 Jul 2022 07:40:52 GMT https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650085#M1091829 Chess Norris 2022-07-14T07:40:52Z https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650100#M1091831 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;While I was able to export/import some of the certificates, the one that are currently associated with RA VPN on the ASA fails. When I'm trying to enroll it on FTD, it gives me an error saying "Fail to configure CA certificate"</P> <P>Using the exact same method I was able to enroll some other identity certificates, so I am not sure why this one fails. How can I troubleshoot this?</P> <P>Thanks</P> <P>/Chess</P> <P>&nbsp;</P> Thu, 14 Jul 2022 08:07:52 GMT https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650100#M1091831 Chess Norris 2022-07-14T08:07:52Z https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650180#M1091836 <P>Followed every step in this troubleshoot guide - <A title="Troubleshoot Certificate Error &quot;Fail to configure CA certificate&quot; on FMC" href="https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215855-troubleshoot-certificate-error-fail-to.html" target="_self">Troubleshoot Certificate Error "Fail to configure CA certificate" on FMC</A>&nbsp;, but without any luck. I'm still getting the same error when trying to enroll. It's so strange because the same cert works perfectly on the ASA.&nbsp;</P> <P>/Chess</P> <P>&nbsp;</P> Thu, 14 Jul 2022 10:52:44 GMT https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650180#M1091836 Chess Norris 2022-07-14T10:52:44Z https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650234#M1091838 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256705">@Chess Norris</a> what is the difference between the certificate(s) that worked and the one that doesn't? Perhaps a key size not supported on FTD/FMC?</P> Thu, 14 Jul 2022 12:15:09 GMT https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4650234#M1091838 Rob Ingram 2022-07-14T12:15:09Z https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4651333#M1091872 <P>I was able to solve the issue by following this guide&nbsp;<A href="https://www.linkedin.com/pulse/anyconnect-ftd-pkcs12-openssl-matt-albrecht/" target="_self">AnyConnect (FTD), PKCS12, and OpenSSL</A>&nbsp;</P> <P>I used OpenSSL to&nbsp;associate the CA chain&nbsp;and created a new PKCS12 file. After doing that, I could enroll the certificate in FMC without any issues.</P> <P>/Chess</P> Fri, 15 Jul 2022 18:01:51 GMT https://community.cisco.com/t5/network-security/export-import-certificates-from-asa-to-ftd/m-p/4651333#M1091872 Chess Norris 2022-07-15T18:01:51Z