Firepower 2100-series Https Certificate Expired

benong1989 · ‎09-24-2020

Hi All,

My firepower2130 is running on FTD 6.4.0.9

One day, the VAPT scan detected Certificate has Expired, and i found out its the https certificate.

and this certificate is located in the FXOS. unlike those you can set in FMC > devices > certificates

So as it is running FTD, i am not able to use the FXOS cli "commit-buffer", and to renew the certificate, based on this bug ID, i need to use this command instead.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvk26612

system support regenerate-security-keyring

However this renew the certificate with 10 years period, but our policy only allows 5 years max.

Anyone knows how can i create a new keyring or change the keyring period to 5 years?

As i an unable to "commit-buffer", i cannot create a new one in FXOS.

Marvin Rhoads · ‎09-25-2020

I'd suggest opening a TAC case on this one. You may need to create a private key and CSR and import a CA-signed certificate using an external tool (openssl, xca etc.).

Or just write a compensating control / accept the risk of the expired certificate that you don't use anyway.

benong1989 · ‎11-05-2020

Hi Marvin,

Thank you for your reply.

Yes, i opened a TAC case in the end.

TAC mentioned that FTD is being managed by the FMC hence this http service is not used anywhere.
Hence we do not have an option to make any changes on this certificate.
However if you use on-box management or FDM to manage the FTD then yes you should be able to change the certificate and also the validity time.

So there is no way to change the FXOS keyring for 2100 series.

I then use the email to get the management to accept the risk.