https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847664#M1101163 <P>Using version v7.0.5 FDM (or any 7x) , is it possible to reference a certificate revocation List(CRL)?</P> <P>For use with RA VPN (anyconnect / Secure Client). I know this is possible using FMC, however is this possible using FDM.</P> Fri, 02 Jun 2023 13:50:55 GMT Jonathan Haldane 2023-06-02T13:50:55Z https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847664#M1101163 <P>Using version v7.0.5 FDM (or any 7x) , is it possible to reference a certificate revocation List(CRL)?</P> <P>For use with RA VPN (anyconnect / Secure Client). I know this is possible using FMC, however is this possible using FDM.</P> Fri, 02 Jun 2023 13:50:55 GMT https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847664#M1101163 Jonathan Haldane 2023-06-02T13:50:55Z https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847706#M1101166 <P>I don't believe that is supported:</P> <P><A href="https://bst.cisco.com/quickview/bug/CSCvs19613" target="_blank">https://bst.cisco.com/quickview/bug/CSCvs19613</A></P> <P>Even if you try to use the Flexconfig that wouldn't work as I remember the crypto command is a blacklisted command.</P> Fri, 02 Jun 2023 15:05:19 GMT https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847706#M1101166 Aref Alsouqi 2023-06-02T15:05:19Z https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847726#M1101167 <P><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html</A></P> <P>This certificate for FTD via FDM.</P> <P>Can you more elaborate about CRL?</P> <P>Thanks&nbsp;</P> <P>MHM</P> Fri, 02 Jun 2023 15:25:31 GMT https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847726#M1101167 MHM Cisco World 2023-06-02T15:25:31Z https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847743#M1101168 <P>Using a 2100 series firepower with only GUI FDM for Remote Access VPN with anyconnect/secure client authenticated using Client Certificates only.</P> <P>If we needed to revoke a client certificate (lost laptop etc). Visibility of the CRL would enable&nbsp;the Firepower to know that this client certificate had been revoked. If there is no mechanism for CRL that would remove client certificate only as an option.&nbsp;</P> <P>The next best option would be AAA (SAML, LDAP, RADIUS etc) &amp; client certificate</P> <P>&nbsp;</P> Fri, 02 Jun 2023 15:46:16 GMT https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847743#M1101168 Jonathan Haldane 2023-06-02T15:46:16Z https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847761#M1101169 <P>If you should enable SAML on the FDM, please be aware that the FDM will error out when you try to push the changes if the SAML certificate has the "ca-check" enabled. Unlike the FMC, the FDM does not have any option to turn that feature off, and the Flexconfig won't allow you to do it due to the crypto command being blacklisted. So in that case you would need to use a third party tool such as OpenSSL or XCA to generate a new cert and its private key, disable the ca-check, import the cert and the private key into Azure, and finally import the cert into FDM.</P> Fri, 02 Jun 2023 16:08:14 GMT https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847761#M1101169 Aref Alsouqi 2023-06-02T16:08:14Z https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847767#M1101170 <DIV dir="auto">Thanks Aref, I have already come across that issue. XCA worked a treat.</DIV> <DIV dir="auto">&nbsp;</DIV> <DIV dir="auto">Regards<SPAN>,<BR />Jonathan</SPAN></DIV> Fri, 02 Jun 2023 16:17:35 GMT https://community.cisco.com/t5/network-security/configuring-crl-ftd-fdm/m-p/4847767#M1101170 Jonathan Haldane 2023-06-02T16:17:35Z