08-17-2022 01:27 AM
Hello,
We need to migrate an ASA 5585-X to a FTD with about 1000 AnyConnect users. Authentication is done with both client certificates and Azure MFA. I am looking for some help with the steps required for doing this. I am guessing that I need to install the root certificate under Objects->PKI->Trusted CAs in FMC, but what do I need to do more?
We have already enrolled the SSL certificates, which is a public certificate. But this is just so that the clients trust the VPN gateway and dont get the security warning.
The question is about the certificates that is used to authenticate the clients. Do I need to enroll the Root CA as well? I only have a .crt file but I think the certificate need to be PKCS12 format. Should I use openssl to convert the .crt to PKCS12 and then enroll it under devices-Certificates in FMC?
I also looked in ASDM under certificate management to see if it was possible to export the root certificate to a PKCS file, but it doesn’t seems to be any option to export root certificates, only identity certificates.
Do I also need to change anything in the AnyConnect configuration? At the moment if I look under Devices -> Remote Access -> Access Interfaces, I only see the SSL certificate associated with the interface that the AnyConnect uses.
Finally, when we are going to test this on the new FTD we will activate the VPN on one of the interfaces with a new temporary IP address before the actual migration. Would that be enough for testing. Using an IP address instead of domain name shouldn't cause any issues?
If the test doesn't work, how should we best troubleshoot this to find out what causing the issues?
Thanks
/Chess
Solved! Go to Solution.
08-17-2022 02:09 AM - edited 08-17-2022 02:24 AM
for certificate used for VPN-tunnel site-to-site or for anyconnect this process is as below.
You need to install the Root CA and Sub-CA in FMC. Objects--->PKI--->Cert Enrollment-->Add Cert Enrollement
Now go to your ASDM on ASA firewall. Go to Configuration--->Device Management-->Certificate Manangement-->Identity Certificates--Chose your Cert Identity and export it as PKCS12 Format.
once this PKC12 is export to your computer go back to FMC--Devices--Certificates-->Add-->
here you will select the Firewall you want to call and Cert Enrollemnet you have to call GO-Daddy as showing in first picture.
now you have to click on the arrow as showing in picture. it will give you a "Warning" This operation will generate Certicate Signing Request od you want to continue? click YES.
here you can import the Identity Certificate the one you save on your computer from your ASA ASDM software.
Here Cisco Youtube channel has provided in detail configuration of Cert Anyconnect FTD managed by FMC.
I also looked in ASDM under certificate management to see if it was possible to export the root certificate to a PKCS file, but it doesn’t seems to be any option to export root certificates, only identity certificates.
You can not export the Root CA. but if you have a public CA you can always get a public CA from their website. for example you can check the Root CA serial number from ASA command line."show crypto ca certificate GO-Daddy"
Status: Available
Certificate Serial Number: 083be056904246b1a1756ac95991c74a
Certificate Usage: Signature
once you have this serial number you can find the cert-root-ca from CA website and import in to your FMC.
08-17-2022 06:08 AM
Thanks. So in order to get the client VPN connection to work, it should be enough to enroll the CA Root certificate in order to properly validate the certificate of the connecting client?
/Chess
08-17-2022 02:09 AM - edited 08-17-2022 02:24 AM
for certificate used for VPN-tunnel site-to-site or for anyconnect this process is as below.
You need to install the Root CA and Sub-CA in FMC. Objects--->PKI--->Cert Enrollment-->Add Cert Enrollement
Now go to your ASDM on ASA firewall. Go to Configuration--->Device Management-->Certificate Manangement-->Identity Certificates--Chose your Cert Identity and export it as PKCS12 Format.
once this PKC12 is export to your computer go back to FMC--Devices--Certificates-->Add-->
here you will select the Firewall you want to call and Cert Enrollemnet you have to call GO-Daddy as showing in first picture.
now you have to click on the arrow as showing in picture. it will give you a "Warning" This operation will generate Certicate Signing Request od you want to continue? click YES.
here you can import the Identity Certificate the one you save on your computer from your ASA ASDM software.
Here Cisco Youtube channel has provided in detail configuration of Cert Anyconnect FTD managed by FMC.
I also looked in ASDM under certificate management to see if it was possible to export the root certificate to a PKCS file, but it doesn’t seems to be any option to export root certificates, only identity certificates.
You can not export the Root CA. but if you have a public CA you can always get a public CA from their website. for example you can check the Root CA serial number from ASA command line."show crypto ca certificate GO-Daddy"
Status: Available
Certificate Serial Number: 083be056904246b1a1756ac95991c74a
Certificate Usage: Signature
once you have this serial number you can find the cert-root-ca from CA website and import in to your FMC.
08-17-2022 06:08 AM
Thanks. So in order to get the client VPN connection to work, it should be enough to enroll the CA Root certificate in order to properly validate the certificate of the connecting client?
/Chess
08-17-2022 06:19 AM
Correct. As long as you have Root-CA, Sub-CA in your FMC and also if you have import the Identity Certificate from your ASA firewall and hosted in your FTD (in PKCS12 format) you are good.
I have done so many VPN-Tunnel FTD certificates so that how I have done it on our FMC.
having said that I assume your anyconnect configuration are pointing the new trust point. you can double check this on FTD CLI. giving a command "show run ssl"
08-19-2022 05:09 AM
Just to follow up. We did some test today and we used a temporary public IP on the outside interface to terminate the VPN. The first time we tested, we used this IP address in AnyConnect, but we got a certificate validation error when the client tried to connect. We then added the FQDN that we use for the VPN in the host file and after that the client was able to connect. I wasn't aware of that the FQDN name was required for authentication with client certificates. I thought it was only necessary for the WEB/SSL cert part. Anyway, seems like all is good now.
Thanks
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide