Hi All,
I am seeking guidance on process of changing CA.
We currently use Firepower firewalls at HQ managed by FMC. It is configured for Remote Access and has been uploaded with both AnyConnect Client Image and AnyConnect VPN Profile.
Same Cisco AnyConenct VPN Profile has been pre-deployed on all client machines using SCCM during its initial build and is used for AnyConnect client updates.
I have been tasked to update the settings on Firepower firewall to be with new internal CA server (when I say new, it refers to new Root CA all together). Looking at AnyConenct VPN Profile XML file I see that under Certificate Matching entry has been provided to match ISSUER-CN against old CA which is the one currently used to sign certificate installed on Firepower Firewall.
I have been trying to add new CA server ISSUER-CN along with the old one and manually placed file on client machine, restarted vpnagent service and was met with message "Certificate Validation Failure"
This leads me to believe that Certificate Matching does not operate with "OR" statement, but more with "AND" in case you have many certificates present on machine in order to pinpoint the one you want to use for validation (correct me if I am wrong here)
So the question stands, what would be the process to replace CA on Firepower Firewall and update clients to be able to validate against this new CA?
I would appreciate collective input on this or any link to material discussing this procedure.
