Thanks,that  clarifies a few things, while opening up more questions.

1. Can you give me a link somewhere to instructions on how to "create the CSR externally"? I have installed certificates and many devices and systesm, but have always generated the CSR on the target device, copied it, then downloaded and installed the supplied certificate bundle.

2. I am still a little confused about the need for a certificate and how it relates to SSL decryption. We have licenses on this device for Threat, Malware and URL filtering, we want to inspect and flter traffic where internal users are browsing websites. Does this work only if we have a PKI set up? Does it require a certificate at all?

The connnection at our head office is a 50/50 fibre, so I am counting on the 5508 to be able to handle that load without a significant problem, even in a worst case scenario.

---

@ciscotac16 wrote:

Is it possible to use a wildcard cert on FTDs?

---

It depends what context you are asking about.

For the Web UI of FMC you can certainly use a wildcard certificate. I have done several and that is no problem.

For the purposes of SSL decrypt and resign of outbound traffic , generally you want a special certificate (not a wildcard) that has been generated from your internal PKI and is itself a certificate-signing certificate. There's usually no good reason to use a wildcard in that case (an d arguably reasons not to do so).

For purposes of decrypting and inspecting traffic to an internally hosted server, you use whatever certificate that server uses (along with its private key).

Hi, Marvin.  Thanks for the reply.

We need the certs for identity only (no SSL/TLS decryption).  We are going to run two  x 2110s in HA, managed by an FPMC.

Each FTD has to have its own unique name, such as ftd1.<domain name>.com, and ftd2.<domain name>.com.   Also we would like for users to be able to connect to something else like vpn.<domain name>.com (so that it works for users connecting remotely whether or not there's been a failover).  

I confirmed this morning with Cisco TAC that wildcard certs will work for this scenario.  However, I'm wondering if certs with SANs would also work (less expensive). 

If certs with SANs would work, we are thinking that we could get just one new cert that had the names of both FTDs in it, as well as the general remote access name. 

Thanks for your time and sharing of expertise!

Deb

@ciscotac16

OK, I understand better what you're asking now. For your 2110 hardware chassis itself (i.e. the physical management interface), its certificate is managed via the FX-OS cli.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos211/web-config/b_GUI_ConfigGuide_FXOS_211/system_administration.html?bookSearch=true#id_31323

I don't have an FCM handy to check but I'm not sure all the certificate operations for the chassis are exposed in the Firepower Chassis Manager (FCM) GUI.

Note that the FCM certificate is only used when admins access the chassis GUI - something that should be relatively infrequent and might not require use of a public CA-signed certificate. In my lab, for instance, I use a Windows Server 2016-based CA which I trust to issue certificates to all of my appliances.

For the remote access SSL VPN on the FTD pair, that certificate is managed by the Firepower Management Center. For that service, which is exposed to end users, using a public-CA signed certificate is definitely recommended.

Marvin did you have to create a different template for the FMC to accept your certificates?

I'm trying to figure out the ISE integratin, but it requires a FMC certificate.  I'm guessing I'll have to go the openssl route so I have a private key, but I also get a invalid cert error when trying to use the CSR method for the FMC SSL cert for admin access.  Not helpful at all.

The server template I have on my Windows Server 2016 CA worked fine for my FMC. I did build that template using some guidance from my friend Steve McNutt in his "PKI for Network Engineers" series:

https://densemode.com/?s=PKI

Once you have a good CA to use, you can use tools like OpenSSL for products such as FMC that don't have a good built-in mechanism to generate a CSR. Create a CSR in OpenSSL and then use the generated private key and CA-signed certificate to upload into FMC as shown below:

I did that and pxGrid to ISE works just fine.

I've found this step-by-step video.

This CSR approach do not require openssl.

https://youtu.be/DYhxjg47NqM?t=555

That's a great link. Thanks for sharing.

FTI you can also use the open source Windows-based tool XCA for certificate management (CSR creation, key management etc.). I find it a lot more user-friendly than using OpenSSL.

can we use wild card certificate for pxgride and firepower integrating

The pxGrid certificate must be both a client and server certificate. Most wildcard certificates don't generally have both of those attributes. If yours does, then you should be able to use it.

Does this still apply? How is generating CSR this way different from what's documented here? https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html#anc3

If we know the CA root CA, can we follow this approach to download the CSR?

https://www.youtube.com/watch?v=ZZRVAFcSZCA&t=481s&ab_channel=CiscoCommunity

Does any new documentation show the cli/openssl approach? I can't seem to find it.