07-10-2023 10:57 AM
See this message on the FTD when looking on FMC. Will clicking the re-enroll certificate cause any issues?
07-10-2023 11:24 AM
07-10-2023 01:26 PM
@CiscoBrownBelt the trustpoint configuration is incomplete so cannot be functioning?.....so therefore unlikely to cause an issue.
Complete the certificate installation as per the following procedure - https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html
07-11-2023 09:40 AM
Typically you will see this when the certificate is not enrolled via the Device > Certificates page but you have it specified in the RA VPN setup. You need to add it under Device > Certificates at which point it will immediately push the certificate and trustpoint to the device (no deploy required).
07-12-2023 05:41 AM - edited 07-12-2023 05:54 AM
I believe I hit refresh or something and now is just has X in ID box (fail to configure identify certificate)?. I should click the re-enroll button correct? Says "This operation will generate Certificate Signing Request do you want to continue?" if I do. I am not all that familiar with the process.
07-12-2023 05:54 AM
@CiscoBrownBelt if it is asking you to complete the CSR request, then you'll need to complete the CSR request, you then send this to the CA to get signed and then import the signed identity certificate - https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html
07-12-2023 05:57 AM - edited 07-12-2023 06:08 AM
Is the cert basically not doing anything right now? The option to download the cert is greyed out. If I click to generate the request I assume there is a lot more for me to do in regards to that?
07-12-2023 06:13 AM
@CiscoBrownBelt if you click generate CSR, there is an output (the CSR) which needs to be sent of to the signed. The CA will provided the signed certificate, you then import this to the FMC to complete the process.
07-12-2023 06:17 AM - edited 07-12-2023 06:43 AM
Device is managed via FMC not FDM, but I guess its about Step 9 in the doc. I assume there is not harm being done since cert not doing anything?
07-12-2023 06:44 AM
@CiscoBrownBelt the FMC will automatically enroll the trustpoint on the FTD (push the certificate) you assign the identity certificate to. No harm if the trustpoint is not in use.
07-12-2023 06:52 AM - edited 07-12-2023 06:53 AM
Looks self-signed as Issuer and Granter is same. Should I be uploading the same notepad file into the Step 2 box of Imort Identity Certificate window?
07-12-2023 06:55 AM
@CiscoBrownBelt ok, what is the usage of this certificate? If for remote access VPN then you probably want to use a publically signed certificate rather than self-signed. The users will not receive certificate issue warnings then.
07-12-2023 07:38 AM
Yes understood about not using self signed. Yes authentication and for remote access would be the case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide