Thanks for the info.

Once i get the key, ca, internal cert etc imported to FMC, I assume i can then attach this certificate to outside interface as part of my webvpn remote access setup via a vpn policy. Does a trustpoint get generated in the background similar to the ASA when we set this up? 

Hi,

I know this is pretty old Post but I have stuck on this stage now, I have logged into ftd ftd then expert mode and have used openssl to generate key and csr. Now I need to copy those my local work station, I have tried to do winscp to ftd ftd and it didn't work 

How can copy the files from ftd expert mode to local work station ?

I need those files to create pkcs12 file in order to upload to FTD

Thanks

Basavaraj

---

@Rob Ingram wrote:

Hi,
You can create the CSR and private key from expert mode on the FTD, get the certificate signed and then using openssh (either from the FTD or a linux machine) create a PKCS12 file, importing the identity cert, private key and root cert). This PKCS12 would be imported into the FMC and using in the configuration.

 

You could probably create the CSR & private key on the FMC using openssh, I've usually done it on the FTD directly previously.

 

HTH

---

I got around this by doing a 'cat' on the file and then just copy/pasting into a file. Still waiting on CSR to be processed but seems like it should work. My question is how do I import back the signed cert and CA's cert to create the PKCS12 file and then exporting that to import into FMC. Looks like SCP would work but client only has SFTP/FTP/TFTP so would like to avoid asking for SCP.

Here's an easy work around:

https://kimiushida.com/bitsandpieces/misc/cisco-fmc-6.3-cert-install-via-cli

I too used the "cat" command to put the files on FMC. That way you only need to ssh to FMC.

I generated a new key and CSR using XCA (free Windows app). You could also use openssl - just got to know the right syntax and it's a bit more cumbersome if you're a Windows person like me.

The key and certificate files are short ascii text so very easy to just paste into the ssh session.

root@fmc:/etc/ssl# 
root@fmc:/etc/ssl# cat server.crt
-----BEGIN CERTIFICATE-----
<paste in your certificate txt>
-----END CERTIFICATE-----
root@fmc:/etc/ssl# 
root@fmc:/etc/ssl# mv server.key server.key.old
root@fmc:/etc/ssl# cat > server.key
-----BEGIN RSA PRIVATE KEY-----
<paste in the new private key>
-----END RSA PRIVATE KEY-----
root@fmc:/etc/ssl#
root@fmc:/etc/ssl# pmtool restartbyid httpsd
root@fmc:/etc/ssl#

The last command above restarts the web server used by the FMC application. you can verify it worked from the cli by running "pigtail" (an FMC utility that tails most of the relevant system logs) or pmtool and watching for output similar to this:

root@fmc:/etc/ssl# pigtail


******************************************************************************************************************************************************************************************************************************************************************
** Displaying logs: ACTQ DCSM TCLG NGFW SSEC CPER VMSB TCAT CPLG DEPL MSGS HTTP TAPP VMSS MOJO SOUT CPAC SYDB NGUI SERR USMS                                                                                                                                      
******************************************************************************************************************************************************************************************************************************************************************


<omitting non-relevant output>
HTTP: 08-17 12:24:24 .016352 2019] [qos:warn] [pid 22454] mod_qos(009): mod_unique_id not available (mod_qos generates simple request id if required)
HTTP: 08-17 12:24:24 .016499 2019] [jk:warn] [pid 22454] No JkShmFile defined in httpd.conf. Using default /usr/logs/jk-runtime-status
HTTP: 08-17 12:24:24 .017528 2019] [mpm_prefork:notice] [pid 22454] AH00163: Apache/2.4.38 (Unix) CiscoSSL/1.0.2q.6.2.323-fips mod_qos/11.59 mod_jk/1.2.40 configured -- resuming normal operations
HTTP: 08-17 12:24:24 .017563 2019] [core:notice] [pid 22454] AH00094: Command line: '/usr/bin/httpsd -D FOREGROUND'
<omitting non-relevant output>
                                                                                                                                                                                                                                                
root@fmc:/etc/ssl# pmtool status | grep https                          
httpsd (system,gui) - Running 22454
Command: /usr/bin/httpsd -D FOREGROUND
PID File: /var/run/httpsd.pid
root@fmc:/etc/ssl# 

You can get them from the CA and then combine them into the one server.crt file.

Why is this ALWAYS such a massive PIA on Cisco products?  I'm so sick of battling to find a way that works on this Cisco platform or that, and it's never the same process or procedure twice.  Wake up Cisco!!! There is no excuse for this not being a simple process.  Step 1.  Create CSR.  Step 2. Get CSR signed by a trusted public CA.  Step 3. Install cert.  It should ONLY be that complicated.  Unless I created my CSR on a different platform/device, there is no excuse for me having to install or use OpenSSL.

...I thought I was the only one feeling that way, why do I need to spend 2 hours instead of 5 minutes -Im a consultant- for something that should be very straight forward? same goes for Netflow, EIGRP, WCCP in FTD...

I am so frustrated with Cisco. Im dealing with the same issue. How hard can it be ???

How did you generate the CSR on the FMC for your ASA? When I follow cisco documentation I keeps on failing.

Thanks in advance