How to renew the selfsigned CA-Certificate at the ASA-Firepower modul?

u.drechsel · ‎06-24-2024

Hello together,

we've the problem, that the tunnel communication between ASA 5585-x Firepower modul and FMC is broken, because a certificate is expired. The tunnel certificate is valid till the year 2026. But the self signed CA-Certificate is expired:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: title=InternalCA, OU=Intrusion Management System, CN=0fdaa31a-0a80-11e5-9396-8729bd1128ad, O=Sourcefire, Inc.
Validity
Not Before: Jun 12 21:41:01 2014 GMT
Not After : Jun 9 21:41:01 2024 GMT
Subject: title=InternalCA, OU=Intrusion Management System, CN=0fdaa31a-0a80-11e5-9396-8729bd1128ad, O=Sourcefire, Inc.

Yes, I know, the ASA 5585-x is meanwhile without service, so I don't have TAC-support. But the new firewall aren't ready to work yet. So the old one must stay alive till migration.

Does anybody know a solution to renew the CA-Certificate via cli (without FMC)?

Thanks in advance

hopeful

Uwe

Marvin Rhoads · ‎06-24-2024

I went through a similar situation recently with our 10 year old FMC whose certificate had expired. Luckily I had TAC support - the fix involved some not-publicly-documented scripts to force regeneration of the internal self-signed certificate. Sorry to say I did not save all the commands we ran during the fix or I would be happy to share them.

If your FMC has support, you might be able to get TAC to help wince the problem affects FMC's ability to manage the device. It's a long shot but worth asking.

Networker17 · ‎06-25-2024

Hi Marvin,

thank you for the hopeful outlook!
Do you still have the ticket number? This could shorten searche at Cisco side...

Thanks!
(on behalf of Uwe)

MHM Cisco World · ‎06-26-2024

https://networkwizkid.com/how-to-install-a-ca-signed-certificate-to-firepower-management-centre/

this link only to check I prefer open TAC as @Marvin Rhoads suggest

thanks

MHM

u.drechsel · ‎07-01-2024

Hi MHM,

thank you for your answer. But the problem concerns self signed certificates, we would need TAC to solve.

Kindly greetings

Uwe

u.drechsel · ‎07-01-2024

Hi Marvin,

many thanks for your answer. Unfortunately we don't have TAC-support any more, because our firewall is meanwhile end of support. We tried to open a TAC-case but it was denied by Cisco. So we can't solve our problem with the internal tunnel certificate and so we also can't use FMC for monitoring and configuring no more. It's a potential security risk and that's why a disapointing support by Cisco.

We are already in a phase of migration to a newer firewall but it takes time...

Kindly greetings
Uwe

Marvin Rhoads · ‎07-01-2024

I checked the case notes for the supported one I had this issue with. TAC provided a python script called rebuild_ca.py. It recreates a new FMC certificate. That certificate then needs to be copied into the managed devices' correct folder so that it is used for the sftunnel process once it's restarted.

So it's pretty complex and not something that can be shared in this forum. Sorry for that.

Networker17 · ‎07-02-2024

Marvin, thank you very much for the quick reply and this information!

Sure, this issue is not as trivial and we can't find any informations out it. So, any pice of information (e.g. rebuild_ca.py) helps to find the lucky punch with the cisco TAC.

Have a great day!

u.drechsel · ‎07-07-2024

Hi Marvin,

thank you ones more for your answer.

Have a nice time.

Kindly greetings,

Uwe