06-02-2023 06:50 AM
Using version v7.0.5 FDM (or any 7x) , is it possible to reference a certificate revocation List(CRL)?
For use with RA VPN (anyconnect / Secure Client). I know this is possible using FMC, however is this possible using FDM.
Solved! Go to Solution.
06-02-2023 08:05 AM
I don't believe that is supported:
https://bst.cisco.com/quickview/bug/CSCvs19613
Even if you try to use the Flexconfig that wouldn't work as I remember the crypto command is a blacklisted command.
06-02-2023 08:05 AM
I don't believe that is supported:
https://bst.cisco.com/quickview/bug/CSCvs19613
Even if you try to use the Flexconfig that wouldn't work as I remember the crypto command is a blacklisted command.
06-02-2023 08:25 AM
This certificate for FTD via FDM.
Can you more elaborate about CRL?
Thanks
MHM
06-02-2023 08:46 AM
Using a 2100 series firepower with only GUI FDM for Remote Access VPN with anyconnect/secure client authenticated using Client Certificates only.
If we needed to revoke a client certificate (lost laptop etc). Visibility of the CRL would enable the Firepower to know that this client certificate had been revoked. If there is no mechanism for CRL that would remove client certificate only as an option.
The next best option would be AAA (SAML, LDAP, RADIUS etc) & client certificate
06-02-2023 09:08 AM
If you should enable SAML on the FDM, please be aware that the FDM will error out when you try to push the changes if the SAML certificate has the "ca-check" enabled. Unlike the FMC, the FDM does not have any option to turn that feature off, and the Flexconfig won't allow you to do it due to the crypto command being blacklisted. So in that case you would need to use a third party tool such as OpenSSL or XCA to generate a new cert and its private key, disable the ca-check, import the cert and the private key into Azure, and finally import the cert into FDM.
06-02-2023 09:17 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide