09-17-2024 04:27 AM
Working on a ASA to FTD migration and trying to find more information on how and what to do for this?
The ASA trustpoints must be manually migrated to the management center as PKI objects
Does it mean all the below certs need to be migrated as PKI objects?
Solved! Go to Solution.
09-17-2024 06:07 AM
@NetworkMonkey101 yes you need to enroll the certificate to the FTD, so the trustpoint is installed on the FTD.
09-17-2024 04:31 AM
@NetworkMonkey101 you can export the certificate trustpoint to PKCS12 file using the command - "crypto ca export <trustpoint> pkcs12 <passphrase>"
Then on the FMC you import the PKCS12 file https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/objects-certs.html?bookSearch=true#task_vzz_knw_vy
09-17-2024 04:36 AM
some key points about migrating ASA trustpoints to FTD as PKI objects during an ASA to FTD migration.The ASA trustpoints need to be manually migrated to the Firepower Management Center (FMC) as PKI objects This is an important pre-migration step when migrating Remote Access VPN configurations.
You will need to create trust points as PKI objects on the FMC before proceeding with the migration.The Firewall Migration Tool allows you to update the trust points that were previously uploaded to the FMC during the migration process.This applies to certificates used for various purposes on the ASA, including:
Identity certificates
CA certificates
Certificates used for VPN authentication
You'll need to export the certificates from the ASA and import them into the FMC as PKI objects before running the migration tool. Pay special attention to any certificates used for Remote Access VPN, as these are critical for the VPN functionality to work properly after migration. The migration tool will provide an interface to map the ASA trustpoints to the corresponding PKI objects you created on the FMC. To ensure a smooth migration, it's recommended to
Inventory all certificates and trustpoints used on your ASA
Export those certificates from the ASA
Create corresponding PKI objects on the FMC
Import the certificates into those PKI objects
Use the migration tool to map the ASA trustpoints to FMC PKI objects
This manual process helps ensure all necessary certificates are properly migrated to support the FTD configuration after migration.
hope this help and plese rate the post as you asking many questions
09-17-2024 05:30 AM
Thanks for this. I have exported all the ID certs but the CA certs does not have an export option within ASDM?
09-17-2024 05:39 AM
When creating the PKI objects on the FMC for the certs to be imported to which section within PKI should they be created in?
09-17-2024 05:43 AM
@NetworkMonkey101 try:-
09-17-2024 06:03 AM
Thanks Rob. I have now added the ID certs as PKI objects and binded the cert. Is there anything else to do for this part?
09-17-2024 06:07 AM
@NetworkMonkey101 yes you need to enroll the certificate to the FTD, so the trustpoint is installed on the FTD.
09-17-2024 06:09 AM
Many thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide