Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2086
Views
0
Helpful
4
Replies

ASA 5506 Firepower Module Certificate

benkelly`8
Level 1
Level 1

‎10-12-2018 05:37 PM - edited ‎03-12-2019 07:01 AM

Hi All 

 

Really struggling to find an answer to this which is strange. 

 

Weve got got a couple of ASA’s with Firepower module on.

 

the firewalls themselves have got Certs installed from m our CA so we don’t get cert warnings. However I’m still getting a warning because the Firepower module isnusing a self signed cert.

 

i don’t want to go around admin stations installing this cert as that’s time consuming and in any case I’d rather it was usong

one of ours.

 

does anyone know how to add a cert to Firepower from Windows CA?

 

what should the subject be for this cert. at the moment it’s Firepower, should it be the same or follow our naming convention? 

 

 

Labels:
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎10-13-2018 11:05 PM

Hello,

 

You can install the certificate on ASA from CA to be used for firepower using below link. This uses CSR:

 

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

 

 

Or  you can install the certificate directly from windows CA:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71050-ASA-cert.html

 

HTH

AJ

 

 

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-14-2018 01:11 AM

The only time I can think of that you would be accessing a Firepower service module via TLS is when you are doing local management with ASDM. Is that where you are seeing errors? I've not seen such an error the few times I've managed a module with ASDM.

 

If you want to add a certificate to the module itself you should be able to do so following this procedure:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/asa-fp-services/asa-with-firepower-services-local-management-configuration-guide-v623/Managing-Objects.html?bookSearch=true#28976

 

I believe ASDM will be requesting information from the module using the module's IP address (vs. FQDN) so the address would need to be at least a SAN (if not the CN) in the certificate.

0 Helpful

erickflamenco
Level 1
Level 1
In response to Marvin Rhoads

‎12-10-2019 02:12 PM

How to do this using SSH, as the Firepower ASDM onbox management it´s not available, since the Sourcefire3d certificate its unknown for ASDM host?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to erickflamenco

‎12-10-2019 09:38 PM

Can't you allow/accept the self-signed certificate on one workstation - just enough to be able to then go int via ASM and update it using the documented GUI procedure mentioned earlier?

If you cannot, then I would suggest opening a TAC case as there's not (as far as I know) a supported procedure for customer's doing it via the cli.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card