cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1677
Views
10
Helpful
7
Replies
Frequent Contributor

Generate CSR on FMC for FTD

On the ASA, I could generate a keypair and CSR to then be submitted and signed by a CA etc..

 

For the FTD devices, can this be done from the FMC or do we need to use OPEN SSL?

 

All I am looking to do is generate a keypair / CSR and get it signed etc.. so when people access the Outside interface (via DNS NAME on cert) for remote access vpn no cert error is served to them.

 

Is it at all possible to export a current keypair and certificates from an ASA and import to an FTD?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Generate CSR on FMC for FTD

When you go to Devices > Certificates to import the PKCS12 file, you add the PKCS12 file from the drop down box this creates the Trustpoint. When you come to create the Remote Access VPN topology in the "Access & Certificates" section, you'd select the outside interface and from the drop down box the certificate you previously imported will be available for you to select.

HTH
7 REPLIES 7
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Generate CSR on FMC for FTD

Hi,
You can create the CSR and private key from expert mode on the FTD, get the certificate signed and then using openssh (either from the FTD or a linux machine) create a PKCS12 file, importing the identity cert, private key and root cert). This PKCS12 would be imported into the FMC and using in the configuration.

 

You could probably create the CSR & private key on the FMC using openssh, I've usually done it on the FTD directly previously.

 

HTH

Frequent Contributor

Re: Generate CSR on FMC for FTD

Thanks for the info.

 

Once i get the key, ca, internal cert etc imported to FMC, I assume i can then attach this certificate to outside interface as part of my webvpn remote access setup via a vpn policy. Does a trustpoint get generated in the background similar to the ASA when we set this up? 

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Generate CSR on FMC for FTD

When you go to Devices > Certificates to import the PKCS12 file, you add the PKCS12 file from the drop down box this creates the Trustpoint. When you come to create the Remote Access VPN topology in the "Access & Certificates" section, you'd select the outside interface and from the drop down box the certificate you previously imported will be available for you to select.

HTH

Re: Generate CSR on FMC for FTD

Hi,

I know this is pretty old Post but I have stuck on this stage now, I have logged into ftd ftd then expert mode and have used openssl to generate key and csr. Now I need to copy those my local work station, I have tried to do winscp to ftd ftd and it didn't work 

 

How can copy the files from ftd expert mode to local work station ?

 

I need those files to create pkcs12 file in order to upload to FTD

 

Thanks

Basavaraj


@RJI wrote:

Hi,
You can create the CSR and private key from expert mode on the FTD, get the certificate signed and then using openssh (either from the FTD or a linux machine) create a PKCS12 file, importing the identity cert, private key and root cert). This PKCS12 would be imported into the FMC and using in the configuration.

 

You could probably create the CSR & private key on the FMC using openssh, I've usually done it on the FTD directly previously.

 

HTH



 

Beginner

Re: Generate CSR on FMC for FTD

I got around this by doing a 'cat' on the file and then just copy/pasting into a file. Still waiting on CSR to be processed but seems like it should work. My question is how do I import back the signed cert and CA's cert to create the PKCS12 file and then exporting that to import into FMC. Looks like SCP would work but client only has SFTP/FTP/TFTP so would like to avoid asking for SCP.

Highlighted
Hall of Fame Master

Re: Generate CSR on FMC for FTD

Here's an easy work around:

https://kimiushida.com/bitsandpieces/misc/cisco-fmc-6.3-cert-install-via-cli

I too used the "cat" command to put the files on FMC. That way you only need to ssh to FMC.

I generated a new key and CSR using XCA (free Windows app). You could also use openssl - just got to know the right syntax and it's a bit more cumbersome if you're a Windows person like me.

The key and certificate files are short ascii text so very easy to just paste into the ssh session.

root@fmc:/etc/ssl# 
root@fmc:/etc/ssl# cat server.crt
-----BEGIN CERTIFICATE-----
<paste in your certificate txt>
-----END CERTIFICATE-----
root@fmc:/etc/ssl# 
root@fmc:/etc/ssl# mv server.key server.key.old
root@fmc:/etc/ssl# cat > server.key
-----BEGIN RSA PRIVATE KEY-----
<paste in the new private key>
-----END RSA PRIVATE KEY-----
root@fmc:/etc/ssl#
root@fmc:/etc/ssl# pmtool restartbyid httpsd
root@fmc:/etc/ssl#

The last command above restarts the web server used by the FMC application. you can verify it worked from the cli by running "pigtail" (an FMC utility that tails most of the relevant system logs) or pmtool and watching for output similar to this:

root@fmc:/etc/ssl# pigtail


******************************************************************************************************************************************************************************************************************************************************************
** Displaying logs: ACTQ DCSM TCLG NGFW SSEC CPER VMSB TCAT CPLG DEPL MSGS HTTP TAPP VMSS MOJO SOUT CPAC SYDB NGUI SERR USMS                                                                                                                                      
******************************************************************************************************************************************************************************************************************************************************************


<omitting non-relevant output>
HTTP: 08-17 12:24:24 .016352 2019] [qos:warn] [pid 22454] mod_qos(009): mod_unique_id not available (mod_qos generates simple request id if required)
HTTP: 08-17 12:24:24 .016499 2019] [jk:warn] [pid 22454] No JkShmFile defined in httpd.conf. Using default /usr/logs/jk-runtime-status
HTTP: 08-17 12:24:24 .017528 2019] [mpm_prefork:notice] [pid 22454] AH00163: Apache/2.4.38 (Unix) CiscoSSL/1.0.2q.6.2.323-fips mod_qos/11.59 mod_jk/1.2.40 configured -- resuming normal operations
HTTP: 08-17 12:24:24 .017563 2019] [core:notice] [pid 22454] AH00094: Command line: '/usr/bin/httpsd -D FOREGROUND'
<omitting non-relevant output>
                                                                                                                                                                                                                                                
root@fmc:/etc/ssl# pmtool status | grep https                          
httpsd (system,gui) - Running 22454
Command: /usr/bin/httpsd -D FOREGROUND
PID File: /var/run/httpsd.pid
root@fmc:/etc/ssl#
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Generate CSR on FMC for FTD

Hi,

Yes, you can export the current certificate from an ASA and import to FTD. You'd need to export in PKCS12 format, these post should be help

 

https://community.cisco.com/t5/security-documents/certificate-backup-and-installation-trustpoints/ta-p/3109377

 

https://community.cisco.com/t5/security-documents/how-to-export-asa-identity-certificate-through-asdm/ta-p/3155728


HTH