cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3072
Views
10
Helpful
7
Replies

Cisco FTD Internal Certificate Expiration

peymansarayeli
Level 1
Level 1

Hi guys, I hope you are doing well.

 

I have a question regarding FTD devices' internal certificate.

 

We have FTDs which are being managed by a FMC. As far as I understood, FMC talks to the FTDs over an encrypted (Https) channel when it wants to deploy configuration to it.

 

Recently we had a security audit in our infrastructure and they reported that the certificates on the FTD devices are expired.

I have searched a lot about how to renew these certificates, but I was not successful.

 

Could you please help me if you have any idea?

 

Best Regards,

Peyman

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

You're correct in understanding that they are used to secure the communications between FMC and managed FTDs (configuration and eventing over the sftunnel process which uses TLS over tcp/8305).

AFAIK Cisco doesn't provide any mechanism to renew these certificates. I would suggest that one could cite the fact that you use a mutually set registration key to verify the authenticity of the managed FTDs vs the certificate. I'd argue that is a "compensating control" for the issue.

So in that case the usage of the X.509 certificate is quite a bit different than in the case of a traditional client-web server type of interaction.