Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
10
Helpful
4
Replies

ASA to FTD migration. Need som help with certificates

Go to solution
Chess Norris
Level 4
Level 4

‎08-17-2022 01:27 AM

Hello,

We need to migrate an ASA 5585-X to a FTD with about 1000 AnyConnect users. Authentication is done with both client certificates and Azure MFA. I am looking for some help with the steps required for doing this. I am guessing that I need to install the root certificate under Objects->PKI->Trusted CAs in FMC, but what do I need to do more?

We have already enrolled the SSL certificates, which is a public certificate. But this is just so that the clients trust the VPN gateway and dont get the security warning.

The question is about the certificates that is used to authenticate the clients. Do I need to enroll the Root CA as well? I only have a .crt file but I think the certificate need to be PKCS12 format. Should I use openssl to convert the .crt to PKCS12 and then enroll it under devices-Certificates in FMC?

I also looked in ASDM under certificate management to see if it was possible to export the root  certificate to a PKCS file, but it doesn’t seems to be any option to export root certificates, only identity certificates.

Do I also need to change anything in the AnyConnect configuration? At the moment if I look under Devices -> Remote Access -> Access Interfaces, I only see the SSL certificate associated with the interface that the AnyConnect uses. 

Finally, when we are going to test this on the new FTD we will activate the VPN on one of the interfaces with a new temporary IP address before the actual migration. Would that be enough for testing. Using an  IP address instead of domain name shouldn't cause any issues?

If the test doesn't work, how should we best troubleshoot this to find out what causing the issues?

Thanks

/Chess

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎08-17-2022 02:09 AM - edited ‎08-17-2022 02:24 AM

for certificate used for VPN-tunnel site-to-site or for anyconnect this process is as below.

 

You need to install the Root CA and Sub-CA in FMC.  Objects--->PKI--->Cert Enrollment-->Add Cert Enrollement

GoDaddy.PNG

 

Now go to your ASDM on ASA firewall. Go to Configuration--->Device Management-->Certificate Manangement-->Identity Certificates--Chose your Cert Identity and export it as PKCS12 Format.

 

once this PKC12 is export to your computer go back to FMC--Devices--Certificates-->Add-->

Cert2.PNG

here you will select the Firewall you want to call and Cert Enrollemnet you have to call GO-Daddy as showing in first picture.

Cert3.PNG

now you have to click on the arrow as showing in picture. it will give you a "Warning" This operation will generate Certicate Signing Request od you want to continue? click YES.

Cert4.PNG

here you can import the Identity Certificate the one you save on your computer from your ASA ASDM software.

 

Here Cisco Youtube channel has provided in detail configuration of Cert Anyconnect FTD managed by FMC.

 

 

 

 

I also looked in ASDM under certificate management to see if it was possible to export the root certificate to a PKCS file, but it doesn’t seems to be any option to export root certificates, only identity certificates.

You can not export the Root CA. but if you have a public CA you can always get a public CA from their website. for example you can check the Root CA serial number from ASA command line."show crypto ca certificate GO-Daddy"

Status: Available
Certificate Serial Number: 083be056904246b1a1756ac95991c74a
Certificate Usage: Signature

 

once you have this serial number you can find the cert-root-ca from CA website and import in to your FMC.

 

 

please do not forget to rate.

View solution in original post

Go to solution
Chess Norris
Level 4
Level 4
In response to Sheraz.Salim

‎08-17-2022 06:08 AM

Thanks. So in order to get the client VPN connection to work, it should be enough to enroll the CA Root certificate in order to properly validate the certificate of the connecting client?

/Chess

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Sheraz.Salim
VIP
VIP

‎08-17-2022 02:09 AM - edited ‎08-17-2022 02:24 AM

for certificate used for VPN-tunnel site-to-site or for anyconnect this process is as below.

 

You need to install the Root CA and Sub-CA in FMC.  Objects--->PKI--->Cert Enrollment-->Add Cert Enrollement

GoDaddy.PNG

 

Now go to your ASDM on ASA firewall. Go to Configuration--->Device Management-->Certificate Manangement-->Identity Certificates--Chose your Cert Identity and export it as PKCS12 Format.

 

once this PKC12 is export to your computer go back to FMC--Devices--Certificates-->Add-->

Cert2.PNG

here you will select the Firewall you want to call and Cert Enrollemnet you have to call GO-Daddy as showing in first picture.

Cert3.PNG

now you have to click on the arrow as showing in picture. it will give you a "Warning" This operation will generate Certicate Signing Request od you want to continue? click YES.

Cert4.PNG

here you can import the Identity Certificate the one you save on your computer from your ASA ASDM software.

 

Here Cisco Youtube channel has provided in detail configuration of Cert Anyconnect FTD managed by FMC.

 

 

 

 

I also looked in ASDM under certificate management to see if it was possible to export the root certificate to a PKCS file, but it doesn’t seems to be any option to export root certificates, only identity certificates.

You can not export the Root CA. but if you have a public CA you can always get a public CA from their website. for example you can check the Root CA serial number from ASA command line."show crypto ca certificate GO-Daddy"

Status: Available
Certificate Serial Number: 083be056904246b1a1756ac95991c74a
Certificate Usage: Signature

 

once you have this serial number you can find the cert-root-ca from CA website and import in to your FMC.

 

 

please do not forget to rate.

Go to solution
Chess Norris
Level 4
Level 4
In response to Sheraz.Salim

‎08-17-2022 06:08 AM

Thanks. So in order to get the client VPN connection to work, it should be enough to enroll the CA Root certificate in order to properly validate the certificate of the connecting client?

/Chess

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Chess Norris

‎08-17-2022 06:19 AM

Correct. As long as you have Root-CA, Sub-CA in your FMC and also if you have import the Identity Certificate from your ASA firewall and hosted in your FTD (in PKCS12 format) you are good.

I have done so many VPN-Tunnel FTD certificates so that how I have done it on our FMC.

 

having said that I assume your anyconnect configuration are pointing the new trust point. you can double check this on FTD CLI. giving a command "show run ssl"

please do not forget to rate.

Go to solution
Chess Norris
Level 4
Level 4
In response to Sheraz.Salim

‎08-19-2022 05:09 AM

Just to follow up. We did some test today and we used a temporary public IP on the outside interface to terminate the VPN. The first time we tested, we used this IP address in AnyConnect, but we got a certificate validation error when the client tried to connect. We then added the FQDN that we use for the VPN in the host file and after that the client was able to connect. I wasn't aware of that the FQDN name was required for authentication with client certificates. I thought it was only necessary for the WEB/SSL cert part. Anyway, seems like all is good now.

Thanks

/Chess

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card