Im in the middle of upgrading a firewall to a newer 5525X. I transferred the config over but i then realised that the identity certificate has expired in 2016. The CA certificate expires in 2021.
My question is. Do i have to get a new identity certificate and is the identity certificate linked to the CA certificate? Would I also have to get a new CA certificate or can i just get a new identity certificate and everything else is all good?
What would be the best process of going about this?
You can generate the CSR on the ASA but that depends on where you are going to ask for the certificate, for example if you own the CA, probably it will be the same CA certificate and you just upload the identity one but if you are doing it through a third party (GoDaddy, Comodo, Geotrust, Verisign...etc) you handle the CSR to them and they will give the certificate chain, it can be the same CA or a new one.
Thanks for your reply.
I have just thecked the identity ceertificate and it looks as though its a certificate from verisign. what would i need to do on the firewall so i can get a new certificate from them?
You need to create the CSR on the ASA in order to send the information to Verisign (now Symantec), you can follow this link, until step 13.
Step 14 will be the process on Symantec in order to deliver the CSR and sign the certificate, for that you can follow this link.
After you get the certificate, you can go to the first link and go to the part where it says "Step 4. Install the Certificate", once you install it verify the certificate is OK and change the configuration on SSL settings to put it on the interface the connections are going to land. Everything should be covered here :)