Firepower Certificate Request

louis.distefano · ‎06-24-2021

All,

I am having trouble installing a certificate, self signed or other in my firepower architecture. Currently configured with a vFMC and ASA firepower module. Both devices running version 7, problem carried over from 6.X

When I go to request the certificate nothing populates the device drop down.

Anything thoughts, what am I missing?

Marvin Rhoads · ‎06-24-2021

We cannot issue certificates to (or create CSR for) an ASA Firepower service module.

The device certificate is used for remote access VPN and, in the case of an ASA with Firepower service module, the RA VPN terminates on the ASA - not the Firepower service module.

louis.distefano · ‎06-25-2021

As I understand, the certificate is required to enable active authentication on my Access Control Policy. I successfully enabled this previously when I used ASDM to manage the module in my previous ASA but have been unable to do so since migrating to new hardware and the VFMC.

Marvin Rhoads · ‎06-26-2021

For this use case, please add the certificate under the Identity Policy:

That is equivalent to adding it in ASDM as described here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-firepower-services/200566-Configure-Active-Directory-Integration-w.html

louis.distefano · ‎06-28-2021

That was the missing step and so obvious in hindsight. . .thanks for the assist