topic Re: FMC: Automatic renew certificates? in Network Security

FMC: Automatic renew certificates?

Network Diver — Wed, 14 May 2025 06:57:01 GMT

Hello,

Managing certificates is getting more and more a nightmare as the valid lifetime will be reduced to 47 days, especially on devices and virtual appliances that don't support any kind of automatic renewal protocol.

What are the options in FMC to automatically renew VPN peer certificates signed by an external public CA? Currently FMC 7.4 only supports EST and SCEP enrollment. [1] None of them supports automatic renewal. Also latest FMC 7.7 does not support ACME. We also use the VPN peer certificate for signing SAML requests for Microsoft EntraID, so renewing a certificate for a VPN peer involves multiple manual steps.

[1] https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/objects-certs.html

[2] https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/objects-certs.html

Re: FMC: Automatic renew certificates?

Network Diver — Tue, 24 Jun 2025 07:50:09 GMT

Any outlook when FMC will support ACME for certificate renewals?
There's an enhancement request for this: https://bst.cisco.com/quickview/bug/CSCvi00886

Re: FMC: Automatic renew certificates?

MHM Cisco World — Tue, 24 Jun 2025 07:55:03 GMT

Thanks for sharing

Have a nice day

MHM

Re: FMC: Automatic renew certificates?

Marvin Rhoads — Tue, 24 Jun 2025 12:26:13 GMT

ACME-based certificate renewal support for FMC-managed FTD devices is expected to be introduced later this year (2025) with the next major release (10.0). It is already present and working in the latest ASA code and the FMC support builds on that same foundation.

Re: FMC: Automatic renew certificates?

kajtzu — Wed, 25 Jun 2025 12:02:50 GMT

I agree that the ASA code in 9.23(1) and later works but it installs only the requested certificate, not any intermediates, which means the certificate chain is incomplete. So, it doesn't work unless the client is able to use AIA fetching. The ones that don't support it complain about the cert. I have a case open for this, actually.

Re: FMC: Automatic renew certificates?

Marvin Rhoads — Wed, 25 Jun 2025 17:34:03 GMT

@kajtzu Good point - I have also brought up this issue with the Cisco team during FTD beta testing. We will see if they are able to incorporate the intermediate certificate(s) sooner vs. later. Behind the scenes it's a simple chaining operation that can be done in openssl.

Re: FMC: Automatic renew certificates?

Network Diver — Tue, 10 Feb 2026 06:52:32 GMT

I wonder which ACME challenges FTD/FMC 10.x will support and whether automatic enrollment works for VPN peer certificate, FMC admin certificate and service provider certificate used by Azure Entra SSO.

ACME HTTP-01 and TLS-ALPN-01 could work for firewalls acting as VPN peers that are accessible from the internet and from the registrar's ACME service to verify the token. But our management center is in the internal network.
ACME DNS-01 challenge could work for devices that are not accessible from the internet such as the FMC, but we're currently using DNS delegation with Azure DNS and Certbot Azure DNS plugin and grant only write access to TXT records in acme DNS subdomain referenced by _acme-challenge.<hostname> CNAME.