Re: FTD certificates & enrollment

ciscoworlds · ‎04-11-2018

Hi;

I've integrated FTD 6.2.2 with ISE 2.2 using pxGrid and required certificates. What I don't understand and cannot find on the Internet is Certificate Enrollment on FTD.

Actually I'm studying remote access VPNs on FTD and want to deploy a scenario like bellow:

Remote clients should be authenticated with both of certificates (supposing they don't have any cert installed on their devices, yet) and AD username/password to be sure they are connecting to corporate network using their legitimate devices.
Remote clients should be authorized based on the AD settings.

Does certificate enrollment on FTD mean generating a CSR to get a node certificate from internal CA and then trying to authenticate remote users based on that certificate on behalf of root CA? Does it like the procedure we do on ISE (importing CA root certificate on ISE trusted root CA database and then generating a CSR to get a node certificate for ISE device itself)?

If the answer to the question above was positive, then why we don't use the "openssl" tool or "Object Management > PKI > Internal Certs" to generate a CSR and import received certs to FTD database?While integrating FTD with ISE I used "openssl" command to generate a CSR on FTD.

I'm really confused and appreciate any help on this.

Rahul Govindan · ‎04-11-2018

You are correct with the assumption that the FTD certificate enrollment is to have an identity certificate issued for the FTD device itself. You can multiple option to get the cert. SCEP and Manual process are the same, using SCEP and a manual process to generate a CSR. You can also use openssl to generate a CSR and get a certificate issued to the device. You would have to use the pkcs12 option to import the key, identity cert and CA cert.

The "Object Management > PKI > Internal Certs" is for the FMC, not the FTD. They are separate from one another. Think of the FTD cert enrollment as creating trustpoints on the ASA and importing identity and CA certs.

ciscoworlds · ‎04-13-2018

@Rahul Govindan wrote:

You are correct with the assumption that the FTD certificate enrollment is to have an identity certificate issued for the FTD device itself. You can multiple option to get the cert. SCEP and Manual process are the same, using SCEP and a manual process to generate a CSR. You can also use openssl to generate a CSR and get a certificate issued to the device. You would have to use the pkcs12 option to import the key, identity cert and CA cert.

The "Object Management > PKI > Internal Certs" is for the FMC, not the FTD. They are separate from one another. Think of the FTD cert enrollment as creating trustpoints on the ASA and importing identity and CA certs.

Hi; Thank you for your helpful reply. It gave me solid basic understanding.

May I ask which port number on CA/NDES is used by Cert Enrollment process? I entered IP address of the CA/NDES server in Enrollment URL field on Object Management > PKI > Cert Enrollment:

But while installing the request on Devices > Certificate page I got this error message:

I read on the Cisco site the Enrollment port number is mandatory and I don't know what the port number should be (supposing the reason for the error message was this).

Rahul Govindan · ‎04-13-2018

Depends on how your NDES server is setup. Usually if it is an MS CA server running NDES, the url would look like below:

http://CA_IP_Address/certsrv/mscep/mscep.dll

Port is usually http or https for standard NDES deployments. Go to the url in your environment and see if it shows the NDES page. You can also do a registry hack to remove the Challenge password requirement on your NDES server (this changes every 30 minutes I think).

ciscoworlds · ‎04-13-2018

@Rahul Govindan wrote:

Depends on how your NDES server is setup. Usually if it is an MS CA server running NDES, the url would look like below:

http://CA_IP_Address/certsrv/mscep/mscep.dll

Port is usually http or https for standard NDES deployments. Go to the url in your environment and see if it shows the NDES page. You can also do a registry hack to remove the Challenge password requirement on your NDES server (this changes every 30 minutes I think).

The link you gave works & I've already gotten challenge password and entered it on the relative page on FMC. Do I need to enter this URL in Enrollment URL field? As you see, I entered "http://10.1.204.154" in that field and then faced with the error.

Besides, I have just one server which acts as root CA and NDES and I configured them based on the link bellow without changing any default value.

MS NDES installation

ciscoworlds · ‎04-13-2018

Update: I entered "http://CA_IP_Address/certsrv/mscep/mscep.dll" in the Enrollment URL field on FMC and it worked!
Don't know why there is nothing about this field value on the Cisco configuration guides! It just said put the CA server IP address or FQDN but it's obvious that it's wrong statement. I spent a whole day to resolve this because I thought that Cisco docs were complete and right.

Rahul Govindan · ‎04-13-2018

Good to hear that you resolved this, it is always the SCEP url that you need to use for enrollment with MS CA.

I wish what you say about the cisco documentation being correct always were true :) You always have something that you eventually figure out via trial and error. I would give cisco the feedback about correcting the documentation when you find something wrong/missing. They are pretty responsive for document feedback on my experience.

ciscoworlds · ‎04-14-2018

@Rahul Govindan wrote:

Good to hear that you resolved this, it is always the SCEP url that you need to use for enrollment with MS CA.

I wish what you say about the cisco documentation being correct always were true :) You always have something that you eventually figure out via trial and error. I would give cisco the feedback about correcting the documentation when you find something wrong/missing. They are pretty responsive for document feedback on my experience.

Hi. In the case if you contact with Cisco about documentation errors, this is where the Enrollment URL has been explained on Cisco website without specifying the actual URL needed on the Enrollment URL field:

Enrollment URL; FMC 6.2.2 configuration guide

ronny.verley@axians.com · ‎09-04-2020

Hello, is is possible to integrate Cisco ISE pxGrid with only FTD, so without the use of FMC??

Rob Ingram · ‎09-04-2020

ronny.verley@axians.com

Yes, you can configure pxgrid when using FDM.

Reference here:-

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-identity-sources.html?bookSearch=true

HTH