12-07-2022 04:12 PM
Hello,
I have am using FMC and FTD version 7.2 and I have a working configuration using SAML authentication. I'm trying to add Certificate authentication, but I'm having a problem validating the certificate installed on my client machine. First a couple facts.
1. I have a windows CA that has pushed out computer certificates to all of my domain computers.
2. In my remote access vpn config, I have installed a public certificate vpn.mydomain.com.
I believe my problem is that the FTD is trying to match the public cert with my computer's private cert and giving me an error "Certificate Validation Failure". Is there a way to present the vpn.mydomain.com website with a public certificate while my clients use the private cert? I plan to add another connection profile for vendors and I don't want to require certificates for them.
Thanks!
Andy
Solved! Go to Solution.
12-08-2022 12:48 AM
Hi @sanchezeldorado,
Yes, it is possible to use public CA signed certificate for your FTD devices, to identify FTD on the Internet, and at the same time to use private CA signed device certificate, to identify clients to your FTD. You can see config guide here.
Based on your error desciption, it looks to me like your FTD doesn't have private CA chain, so it can't validate client certificate, or client is not using private CA certificate to identify itself, so FTD doesn't trust offered one.
Kind regards,
Milos
12-08-2022 12:48 AM
Hi @sanchezeldorado,
Yes, it is possible to use public CA signed certificate for your FTD devices, to identify FTD on the Internet, and at the same time to use private CA signed device certificate, to identify clients to your FTD. You can see config guide here.
Based on your error desciption, it looks to me like your FTD doesn't have private CA chain, so it can't validate client certificate, or client is not using private CA certificate to identify itself, so FTD doesn't trust offered one.
Kind regards,
Milos
12-11-2022 07:05 AM
Thank you for the input. Unfortunately, it looks like I won't have the ability to get this configured. Have a good day!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: