cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
239
Views
7
Helpful
8
Replies

How to - ASA trustpoints must be manually migrated to the management

Working on a ASA to FTD migration and trying to find more information on how and what to do for this?

The ASA trustpoints must be manually migrated to the management center as PKI objects

Does it mean all the below certs need to be migrated as PKI objects?

NetworkMonkey101_1-1726572408196.png

 

NetworkMonkey101_0-1726572390367.png

 

 

 

1 Accepted Solution

Accepted Solutions

@NetworkMonkey101 yes you need to enroll the certificate to the FTD, so the trustpoint is installed on the FTD.

 

  • Navigate to Devices > Certificates
  • Click Add Certificates
  • From the drop-down list select the Device
  • Select the Cert Enrollment*: as the name you defined previously.

 

 

View solution in original post

8 Replies 8

@NetworkMonkey101 you can export the certificate trustpoint to PKCS12 file using the command - "crypto ca export <trustpoint> pkcs12 <passphrase>"

Then on the FMC you import the PKCS12 file https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/objects-certs.html?bookSearch=true#task_vzz_knw_vy

 

 

some key points about migrating ASA trustpoints to FTD as PKI objects during an ASA to FTD migration.The ASA trustpoints need to be manually migrated to the Firepower Management Center (FMC) as PKI objects This is an important pre-migration step when migrating Remote Access VPN configurations.
You will need to create trust points as PKI objects on the FMC before proceeding with the migration.The Firewall Migration Tool allows you to update the trust points that were previously uploaded to the FMC during the migration process.This applies to certificates used for various purposes on the ASA, including:

Identity certificates
CA certificates
Certificates used for VPN authentication


You'll need to export the certificates from the ASA and import them into the FMC as PKI objects before running the migration tool. Pay special attention to any certificates used for Remote Access VPN, as these are critical for the VPN functionality to work properly after migration. The migration tool will provide an interface to map the ASA trustpoints to the corresponding PKI objects you created on the FMC. To ensure a smooth migration, it's recommended to

Inventory all certificates and trustpoints used on your ASA
Export those certificates from the ASA
Create corresponding PKI objects on the FMC
Import the certificates into those PKI objects
Use the migration tool to map the ASA trustpoints to FMC PKI objects

This manual process helps ensure all necessary certificates are properly migrated to support the FTD configuration after migration.

 

hope this help and plese rate the post as you asking many questions

please do not forget to rate.

Thanks for this. I have exported all the ID certs but the CA certs does not have an export option within ASDM?

When creating the PKI objects on the FMC for the certs to be imported to which section within PKI should they be created in?

NetworkMonkey101_0-1726576753966.png

 

@NetworkMonkey101 try:-

 

  • Navigate to Objects > Object Management > PKI > Cert Enrollment
  • Click Add Cert Enrollment
  • Enter an appropriate name
  • Select Enrollment Type as PKCS12 File
  • Click Browse PKCS12 File and select the file previously created.
  • Enter the Passphrase used when creating the PKCS12 file.

 

Thanks Rob. I have now added the ID certs as PKI objects and binded the cert. Is there anything else to do for this part?

NetworkMonkey101_0-1726578176213.png

 

@NetworkMonkey101 yes you need to enroll the certificate to the FTD, so the trustpoint is installed on the FTD.

 

  • Navigate to Devices > Certificates
  • Click Add Certificates
  • From the drop-down list select the Device
  • Select the Cert Enrollment*: as the name you defined previously.

 

 

Many thanks for your help!

Review Cisco Networking for a $25 gift card