cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1762
Views
15
Helpful
33
Replies

Firepower VPN Question

benolyndav
Level 4
Level 4

Hi

WE are going be setting up 12 site to site vpns to a 3rd party provider and they have said they will send us their root cert and we just need to create intermediates for the 12 tunnels from the root cert, is this possible and if so how please.??

 

Thanks

1 Accepted Solution

Accepted Solutions

@benolyndav ok, so is this enrolled under the FTD ( from FMC under Devices > Certificates)?

If so this will have created the trustpoint on the FTD, from the FTD you can run "show crypto ca certificates" to confirm the trustpoint is created.

View solution in original post

33 Replies 33

@benolyndav are you sure they said create intermediates for the tunnels? You'd exchange root certificates and deploy to the FTD to mutual authenticate when establishing the VPN.

Hi

Yes thats what I thought just use Root for the 12 tunnels, I never questioned it as it was in an email but its confusing.

Hi @Rob Ingram 
So if I want to Use 3rd party Root Cert where will this need adding my side, ???

Thanks

 

Hi @Rob Ingram 

Im still a bit confused if they send me a cert does this mean I can simply add this cert to our FTD or do I still have to do some form of enrollment .??

Thanks

@benolyndav yes use manual enrollment and import the peers CA certificate only.

@Rob Ingram 
would it still need adding to Trusted Root as well.???

Thanks

@benolyndav I assume you are referring to Trusted CA under Objects > PKI? ..then no

You enrol the certificates (under Devices > Certificates) to the FTD which creates the trustpoint on the FTD with the relevant certificates.

Hi @Rob Ingram 
So add cert enrollment give it a name, then select Manual and check CA only,  I try saving and it dosent allow me to move forward ???

 

---Paste CA certificate in PEM format here ????

 

@benolyndav you can import the CA certificate only (no identity certificate) since 6.7, I assume you are using 6.7 or newer?

Can you provide a screenshot of what you are doing and the error in context please? How are you trying to import the certificate? You can just copy and paste the CA certificate contents into the field, assuming it's the correct format.

@Rob Ingram Its in .crt format ??

@benolyndav a PEM file can use .crt file extension. PEM files starts with -----BEGIN CERTIFICATE----- 

Open the CA certificate file into notepad, copy and paste this.

@Rob Ingram so thats on there now under manual enrollment Manual (CA Only) thanks for that, whats the next step please ??

Thanks

@benolyndav ok, so is this enrolled under the FTD ( from FMC under Devices > Certificates)?

If so this will have created the trustpoint on the FTD, from the FTD you can run "show crypto ca certificates" to confirm the trustpoint is created.

Review Cisco Networking for a $25 gift card