Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1575
Views
15
Helpful
4
Replies

SSL Certificates for AnyConnect VPN

Go to solution
Heino Human
Level 1
Level 1

‎01-27-2021 04:01 PM

Hi guys, 

 

I'm a bit confused in why we would use two signed certificates for anyconnect VPN to establish a trust point on the outside interface of the firewall. If look at the below article and follow the steps, it would go like this. 

 

1. Create a CSR on the FTD via CLI

2. Send it to a CA to be signed 

3. Go to Objects > Object Management > PKI > Cert Enrollment, click on Add Cert Enrollment. Here we add the CA signed certificate (which is the first one)

4. Then we go to Devices > Certificates > Add > New Certificate. Here we select the cert enrollment we did in step 3, create another CSR to be signed by a CA again. 

 

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html 

 

Am I reading this incorrectly or not understanding the process? 

 

Any insight would be amazing so I can get my head around this. 

 

Thank you

Heino 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-28-2021 10:24 AM

@Heino Human 

You are getting confused between 2 different methods to import a certificate.

 

|You generate the CSR via openssl from the CLI, sign the certificate and create a PKCS12 file. On the FMC you then you select the Certificate Enrollment type as PKCS12 and import the file (this doesn't generate a new CSR). Example

 

Another method is select the Certificate Enrollment type as Manual, import the CA certificate and then generate the CSR and import the signed file. This method does not require you to generate a CSR on the CLI.

View solution in original post

4 Replies 4

Go to solution
Omar Sandoval
Level 1
Level 1

‎01-27-2021 04:20 PM

Hi,

Step 3 is for upload the certificate signed by the CA, and the step 4 is to assign the certificate (uploaded on step 3) to FTD.

0 Helpful

Go to solution
Heino Human
Level 1
Level 1

‎01-27-2021 06:45 PM

Hi Omar, 

 

That is correct, though when you assign the certificate in step 4, a new CSR is raised. Please see the screenshots attached. 

 

Thank you

Heino 

Preview file
120 KB
Preview file
253 KB
0 Helpful

Go to solution
Panos Bouras
Level 1
Level 1

‎01-28-2021 10:07 AM - edited ‎01-28-2021 10:08 AM

@Hi @Heino Human 

 

I create the CSR outside FTD (try openSSL) and then import the certificate to FTD

Check the following guide, I use the PKCS12 option.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Go to solution
Rob Ingram
VIP
VIP

‎01-28-2021 10:24 AM

@Heino Human 

You are getting confused between 2 different methods to import a certificate.

 

|You generate the CSR via openssl from the CLI, sign the certificate and create a PKCS12 file. On the FMC you then you select the Certificate Enrollment type as PKCS12 and import the file (this doesn't generate a new CSR). Example

 

Another method is select the Certificate Enrollment type as Manual, import the CA certificate and then generate the CSR and import the signed file. This method does not require you to generate a CSR on the CLI.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card