@Rob Ingram 

And also I have used CA only for the enrollment,  In the documentation I see it states recieving an Identity Certificate ? its all rather confusing.?

Thanks

@Rob Ingram 

Yes its in there I see it

@Rob Ingram 

Hi this is what I get when I try to use on the VPN ??

@benolyndav you were originally only going to upload the partners' inter/root certificates to your FTD, not replace the identity certificate on your FTD. So if the FTD has the trustpoint of the partner's certificates, you should now trust their certificate?

Hi @Rob Ingram 
Ill start again Im obviously not grassping, in the attched I selest Manual, andthen i open with notepad the Root CA that the ISP have sent me I copy and paste in the box, do I also select CA only ???

@benolyndav yes select CA only, because its only the CA certificate they've sent you. Once enrolled, then run "show crypto ca certificates" on the FTD to confirm the trustpoint is created and the peer's root CA certificate is installed on the FTD.

@Rob Ingram 
Thanks, So i can see tha now when I run show crypto ca cert, and it says availble and can see the associated trust point

so if I now want to use this on the site to site there must be another step that I have been missing ???

Thanks

@benolyndav The partner will need to do the same as you, they need to trust the CA certificate used to issue your identity certificate, have they imported this CA certificate on their side?

From your side as long as the partners CA certificates are deployed to the FTDs then you should be ok.

@Rob Ingram 
So yes I have sent Our cert to them and they have done the same, when I try changing the VPN to Cert based authentication and then select the new cert, when I try deploy the changes I get this still, whats happening ???

@benolyndav You don't need to do that. You are only using the partner's CA certificate to validate their certificate, you still need your identity certificate configured on the FTD. The partners CA certificate just needs to be an enrolled trustpoint on your FTD, so your FTD trusts their certificate.

@Rob Ingram 

Ah ok so the cert i sent to ISP is needed on my side as anidentity cert ?  if so how do I get this cert on the FTD as a identity cert please.??

Thanks

@benolyndav you will need to complete the certificate enrollment, with an identity certificate issued by the CA that you gave to the ISP.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html#toc-hId-1162747177

Once this identity certificate is enrolled to the FTD you can select this certificate under the Remote Access VPN configuration.

@Rob Ingram 

Can this be done using manual enrollment and not selecting CA only this time, 

@benolyndav add any CA certificate as a placeholder, from the link provided above:-

"3. Specify a Name for the trustpoint and under the CA Information tab, select Enrollment Type: Manual. Enter the pem format certificate of the CA that is used to sign the Identity Certificate. If this certificate is not available or known at this time, add any CA certificate as a placeholder, and once the identity certificate is issued repeat this step to add the real issuing CA as shown in the image."