Re: Using FMC GUI to replace RA VPN Certificate

LVS-Derek · ‎03-26-2020

Hi everyone.

I'm replacing the SSL cert for our RA VPN. I've used the GUI because I'm not much of a Linux guy and I'm fairly new to Cisco stuff. I have a pair of 5525s with the FMC virtual appliance. I used the FMC GUI to generate a CSR but the interface timed out before I got the response back. If I click the option to Enroll the identity certificate, it wants to start from scratch with a new CSR. How do I get it to accept the certificate I got from GoDaddy?

Thanks for any help you can offer.

Derek

Rob Ingram · ‎03-26-2020

Hi,
When you generate the CSR you should be able to safely close the screen and then return later to import the signed certificate. If you closed the screen and re-entered it later, it might say that it's going to regenerate a CSR but I've tested, it doesn't, it's the same CSR. You should be able to successfully import the signed identity certificate from godaddy.

HTH

LVS-Derek · ‎03-26-2020

Thanks. I'll try that right now and report back!

LVS-Derek · ‎03-26-2020

No luck. What format should this certificate be in? Maybe I need to convert it first?

Rob Ingram · ‎03-26-2020

I've never had a problem importing an identity certicate in PEM format....these are prefixed with a “—–--- BEGIN …” line and end with "------ END CERTIFICATE---".

What format is your cerificate in? If not PEM then yes perhaps convert to PEM.

HTH

LVS-Derek · ‎03-26-2020

I'm trying the PEM again right now. It's possible I may have misselected the first time because it's taking a lot longer this time. I'll let it spin for a bit before I refresh.

LVS-Derek · ‎03-26-2020

No dice. It was still spinning when I got back to it so I hit Refresh. It's back to "Identity certificate import required." So I tried the PEM file once more and this time it quickly returned to the same message.

Rob Ingram · ‎03-26-2020

Is the file just the identity certificate certificate or the entire chain?
I assume the FTD you are applying the certificate to is actually online? If it's turned off then you cannot import the certificate.

LVS-Derek · ‎03-26-2020

Just the identity certificate. I was able to successfully upload the CA chain but it won't take the identity cert. I can't create a PKCS12 file because the interface doesn't give me access to the key used.

Rob Ingram · ‎03-26-2020

What enrollment type did you use? Manual?

You might have to just start again and re-submit to the CA.

LVS-Derek · ‎03-26-2020

Really hoping to avoid that as I've already reissued once, and I think GoDaddy only allows two! Man I hate these things.

Rob Ingram · ‎03-26-2020

Which version of FMC are you using?

What enrolment type did you use?

Just so we are on the right wave length, these are the steps that work:-

If using manual, you import the root certificate

Define the certificate parameters.

Click Save

Navigate to Devices > Certificates

Click Add

From the Device drop-down list select your device

From the Cert Enrollment drop-down list selectthe certificate enrolment

Click the ID button

Generate the CSR

Copy the contents of the CSR and send to GoDaddy to sign the certificate

Browse identity certificate to import the signed identity certifcate

Is that the steps you followed?

HTH

LVS-Derek · ‎03-26-2020

Yes, that's exactly what I did. I'm using FMC 6.5 on a pair of 5525s.