Solved: FMC: Automatic renew certificates?

Network Diver · ‎05-13-2025

Hello,

Managing certificates is getting more and more a nightmare as the valid lifetime will be reduced to 47 days, especially on devices and virtual appliances that don't support any kind of automatic renewal protocol.

What are the options in FMC to automatically renew VPN peer certificates signed by an external public CA? Currently FMC 7.4 only supports EST and SCEP enrollment. [1] None of them supports automatic renewal. Also latest FMC 7.7 does not support ACME. We also use the VPN peer certificate for signing SAML requests for Microsoft EntraID, so renewing a certificate for a VPN peer involves multiple manual steps.

[1] https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/objects-certs.html

[2] https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/objects-certs.html

Marvin Rhoads · ‎06-24-2025

ACME-based certificate renewal support for FMC-managed FTD devices is expected to be introduced later this year (2025) with the next major release (10.0). It is already present and working in the latest ASA code and the FMC support builds on that same foundation.

View solution in original post

Network Diver · ‎06-24-2025

Any outlook when FMC will support ACME for certificate renewals?
There's an enhancement request for this: https://bst.cisco.com/quickview/bug/CSCvi00886

MHM Cisco World · ‎06-24-2025

Thanks for sharing

Have a nice day

MHM

Marvin Rhoads · ‎06-24-2025

ACME-based certificate renewal support for FMC-managed FTD devices is expected to be introduced later this year (2025) with the next major release (10.0). It is already present and working in the latest ASA code and the FMC support builds on that same foundation.

kajtzu · ‎06-25-2025

I agree that the ASA code in 9.23(1) and later works but it installs only the requested certificate, not any intermediates, which means the certificate chain is incomplete. So, it doesn't work unless the client is able to use AIA fetching. The ones that don't support it complain about the cert. I have a case open for this, actually.

Marvin Rhoads · ‎06-25-2025

@kajtzu Good point - I have also brought up this issue with the Cisco team during FTD beta testing. We will see if they are able to incorporate the intermediate certificate(s) sooner vs. later. Behind the scenes it's a simple chaining operation that can be done in openssl.

Network Diver · ‎02-09-2026

I wonder which ACME challenges FTD/FMC 10.x will support and whether automatic enrollment works for VPN peer certificate, FMC admin certificate and service provider certificate used by Azure Entra SSO.

ACME HTTP-01 and TLS-ALPN-01 could work for firewalls acting as VPN peers that are accessible from the internet and from the registrar's ACME service to verify the token. But our management center is in the internal network.
ACME DNS-01 challenge could work for devices that are not accessible from the internet such as the FMC, but we're currently using DNS delegation with Azure DNS and Certbot Azure DNS plugin and grant only write access to TXT records in acme DNS subdomain referenced by _acme-challenge.<hostname> CNAME.