02-22-2024 06:02 AM
Hi
WE are going be setting up 12 site to site vpns to a 3rd party provider and they have said they will send us their root cert and we just need to create intermediates for the 12 tunnels from the root cert, is this possible and if so how please.??
Thanks
Solved! Go to Solution.
03-04-2024 10:47 AM
@benolyndav ok, so is this enrolled under the FTD ( from FMC under Devices > Certificates)?
If so this will have created the trustpoint on the FTD, from the FTD you can run "show crypto ca certificates" to confirm the trustpoint is created.
02-22-2024 06:30 AM
@benolyndav are you sure they said create intermediates for the tunnels? You'd exchange root certificates and deploy to the FTD to mutual authenticate when establishing the VPN.
02-22-2024 06:46 AM
Hi
Yes thats what I thought just use Root for the 12 tunnels, I never questioned it as it was in an email but its confusing.
02-22-2024 08:23 AM
Hi @Rob Ingram
So if I want to Use 3rd party Root Cert where will this need adding my side, ???
Thanks
02-22-2024 08:36 AM
@benolyndav you can just create a new trustpoint and import the CA certificate and then attach to the FTDs.
02-22-2024 09:00 AM
Hi @Rob Ingram
Im still a bit confused if they send me a cert does this mean I can simply add this cert to our FTD or do I still have to do some form of enrollment .??
Thanks
02-22-2024 09:07 AM
@benolyndav yes use manual enrollment and import the peers CA certificate only.
03-04-2024 08:43 AM
@Rob Ingram
would it still need adding to Trusted Root as well.???
Thanks
03-04-2024 08:50 AM
@benolyndav I assume you are referring to Trusted CA under Objects > PKI? ..then no
You enrol the certificates (under Devices > Certificates) to the FTD which creates the trustpoint on the FTD with the relevant certificates.
03-04-2024 09:00 AM - edited 03-04-2024 09:04 AM
Hi @Rob Ingram
So add cert enrollment give it a name, then select Manual and check CA only, I try saving and it dosent allow me to move forward ???
---Paste CA certificate in PEM format here ????
03-04-2024 09:09 AM
@benolyndav you can import the CA certificate only (no identity certificate) since 6.7, I assume you are using 6.7 or newer?
Can you provide a screenshot of what you are doing and the error in context please? How are you trying to import the certificate? You can just copy and paste the CA certificate contents into the field, assuming it's the correct format.
03-04-2024 10:13 AM
@Rob Ingram Its in .crt format ??
03-04-2024 10:17 AM
@benolyndav a PEM file can use .crt file extension. PEM files starts with -----BEGIN CERTIFICATE-----
Open the CA certificate file into notepad, copy and paste this.
03-04-2024 10:42 AM
@Rob Ingram so thats on there now under manual enrollment Manual (CA Only) thanks for that, whats the next step please ??
Thanks
03-04-2024 10:47 AM
@benolyndav ok, so is this enrolled under the FTD ( from FMC under Devices > Certificates)?
If so this will have created the trustpoint on the FTD, from the FTD you can run "show crypto ca certificates" to confirm the trustpoint is created.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide