Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
3
Helpful
5
Replies

FMC: Automatic renew certificates?

Go to solution
Network Diver
Level 3
Level 3

‎05-13-2025 11:57 PM

Hello,

Managing certificates is getting more and more a nightmare as the valid lifetime will be reduced to 47 days, especially on devices and virtual appliances that don't support any kind of automatic renewal protocol.

47-day-certificate-lifespan-what-to-expect.png

What are the options in FMC to automatically renew VPN peer certificates signed by an external public CA? Currently FMC 7.4 only supports EST and SCEP enrollment. [1] None of them supports automatic renewal. Also latest FMC 7.7 does not support ACME. We also use the VPN peer certificate for signing SAML requests for Microsoft EntraID, so renewing a certificate for a VPN peer involves multiple manual steps.

[1] https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/objects-certs.html

[2] https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/objects-certs.html

 

 

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2025 05:26 AM

ACME-based certificate renewal support for FMC-managed FTD devices is expected to be introduced later this year (2025) with the next major release (10.0). It is already present and working in the latest ASA code and the FMC support builds on that same foundation.

View solution in original post

5 Replies 5

Go to solution
Network Diver
Level 3
Level 3

‎06-24-2025 12:14 AM - edited ‎06-24-2025 12:50 AM

Any outlook when FMC will support ACME for certificate renewals?
There's an enhancement request for this: https://bst.cisco.com/quickview/bug/CSCvi00886

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-24-2025 12:55 AM

Thanks for sharing 

Have a nice day 

MHM

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2025 05:26 AM

ACME-based certificate renewal support for FMC-managed FTD devices is expected to be introduced later this year (2025) with the next major release (10.0). It is already present and working in the latest ASA code and the FMC support builds on that same foundation.

Go to solution
kajtzu
Level 1
Level 1

‎06-25-2025 05:02 AM

I agree that the ASA code in 9.23(1) and later works but it installs only the requested certificate, not any intermediates, which means the certificate chain is incomplete. So, it doesn't work unless the client is able to use AIA fetching. The ones that don't support it complain about the cert. I have a case open for this, actually.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kajtzu

‎06-25-2025 10:34 AM

@kajtzu Good point - I have also brought up this issue with the Cisco team during FTD beta testing. We will see if they are able to incorporate the intermediate certificate(s) sooner vs. later. Behind the scenes it's a simple chaining operation that can be done in openssl.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card