Hi

Yes thats what I thought just use Root for the 12 tunnels, I never questioned it as it was in an email but its confusing.

Hi @Rob Ingram 
So if I want to Use 3rd party Root Cert where will this need adding my side, ???

Thanks

@benolyndav you can just create a new trustpoint and import the CA certificate and then attach to the FTDs.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/objects-certs.html#task_blc_3nw_vy

Hi @Rob Ingram 

Im still a bit confused if they send me a cert does this mean I can simply add this cert to our FTD or do I still have to do some form of enrollment .??

Thanks

@benolyndav yes use manual enrollment and import the peers CA certificate only.

@Rob Ingram 
would it still need adding to Trusted Root as well.???

Thanks

@benolyndav I assume you are referring to Trusted CA under Objects > PKI? ..then no

You enrol the certificates (under Devices > Certificates) to the FTD which creates the trustpoint on the FTD with the relevant certificates.

Hi @Rob Ingram 
So add cert enrollment give it a name, then select Manual and check CA only,  I try saving and it dosent allow me to move forward ???

---Paste CA certificate in PEM format here ????

@benolyndav you can import the CA certificate only (no identity certificate) since 6.7, I assume you are using 6.7 or newer?

Can you provide a screenshot of what you are doing and the error in context please? How are you trying to import the certificate? You can just copy and paste the CA certificate contents into the field, assuming it's the correct format.

@Rob Ingram Its in .crt format ??

@benolyndav a PEM file can use .crt file extension. PEM files starts with -----BEGIN CERTIFICATE----- 

Open the CA certificate file into notepad, copy and paste this.

@Rob Ingram so thats on there now under manual enrollment Manual (CA Only) thanks for that, whats the next step please ??

Thanks