Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11201
Views
15
Helpful
8
Replies

I feel stupid, is there a trick to installing a certificate on an FTD?

itsupport
Level 1
Level 1

‎09-19-2017 01:30 AM - edited ‎03-12-2019 04:33 AM

I have an ASA-5508-X, controlled by a vFMC. Both are running 6.2.2.0 I am attempting to install a certificate, so that I can configure remote access and allow Anyconnect clients to connect in.

I have the SSL certificate, as a text file, along with a matching private key and intermediate certificate bundle.

I have tried going to Device > Certificates > Add Certificate, selected the relevant FTD, then added a "Cert enrollment", however I see no way to supply the certificate, private key and intermediate bundle.

Is there something I am missing here?  

5 people had this problem
Labels:
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2017 07:45 AM

Click the plus sign to add a new certificate and make it "manual" type. That will divert you to the object management where you can paste in the plain text certificate chain.

 

You can also add them as separate device and chain objects under Objects > Object Management > PKI. If you do it that way in advance, you should then have the device certificate already available to you on the drop down menu in the RA VPN setup wizard.

0 Helpful

itsupport
Level 1
Level 1
In response to Marvin Rhoads

‎09-20-2017 07:09 PM

Yeah found that, but:

1. The certificate also has an associated private key, and an intermediate certificate. Pretty sure they too will be required, but I can see no place to input them.

2. There are other screens there requesting Certificate parameters, and key length and size. Isn't this information entered when the certificate is generated, part of the CSR, and embedded in the certificate itself?

3. When I go to Devices>Certificates>Add New Certificate and attempt to add the certificate based on the earlier enrollment, after a delay, i get the following error: "Failed to complete certificate enrollment : quit : [info] : INFO: Certificate has the following attributes: Fingerprint: b9ffb1cf b90b9645 6b0b2807 0252f510 Trustpoint 't2' is a subordinate CA and holds a non self-signed certificate. Error: Certificate doesn't have the Basic Constraints CA flag set. Configure 'no ca-check' command in the trust point configuration to use this certificate. % Error in saving certificate: status = FAIL"  

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to itsupport

‎09-20-2017 07:29 PM - edited ‎09-20-2017 07:30 PM

If you click on the "?" icon when adding a certificate enrollment (Under Objects > Object Management > PKI > Cert Enrrollment), you can see that the sort of case you are describing would call for using a PKCS#12 file (as shown below). When you do that type of enrollment, optional tasks 4-6 below are not required.

 

A PKCS12 file will include all the necessary bits in a self-contained encrypted file that includes the individual base-64 encoded files (private key, server certificate and any intermediate certificates). See https://en.wikipedia.org/wiki/PKCS_12

 

Adding Certificate Enrollment Objects

 

Smart License

Classic License

Supported Devices

Supported Domains

Access

Export- Compliance

 N/A

Firepower Threat Defense

Any

Admin/Network Admin
 
Procedure
Step 1   Open the Add Cert Enrollment dialog:
  • Directly from Object Management: In the Objects > Object Management screen, choose PKI > Cert Enrollment from the navigation pane, and press Add Cert Enrollment.
  • While configuring a managed device: In the Devices > Certificatesscreen, choose Add > Add New Certificate and click (+) for the Certificate Enrollment field.
Step 2   Enter the Name, and optionally, a Description of this enrollment object.

When enrollment is complete, this name is the name of the trustpoint on the managed devices with which it is associated.
Step 3   Open the CA Information tab and choose the Enrollment Type.

  • Self-Signed Certificate—The managed device, acting as a CA, generates its own self-signed root certificate. No other information is needed in this pane.

    Note   

    When enrolling a self-signed certificate you must specify the Common Name (CN) in the certificate parameters.

  • SCEP—(Default) Simple Certificate Enrollment Protocol. Specify the SCEP information. See Certificate Enrollment Object SCEP Options.
  • Manual—Paste an obtained CA certificate in the CA Certificate field. You can obtain a CA certificate by copying it from another device.
  • PKCS12 File—Import a PKCS12 file on a Firepower Threat Defense managed device that supports VPN connectivity. A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file.
Step 4   (Optional) Open the Certificate Parameters tab and specify the certificate contents. See Certificate Enrollment Object Certificate Parameters.

This information is placed in the certificate and is readable by any party who receives the certificate from the router.
Step 5   (Optional) Open the Key tab and specify the Key information. See Certificate Enrollment Object Key Options.
Step 6   (Optional) Click the Revocation tab, and specify the revocation options: See Certificate Enrollment Object Revocation Options.
Step 7   Allow Overrides of this object if desired. See Object Overrides for a full description of object overrides.

CSCO12233954
Level 1
Level 1

‎04-10-2018 04:26 PM

Hi I have the same Issue when I tried to add the certificate.

I attach the image about the issue, please tell me where put the comand no ca-check

 

 

Preview file
142 KB

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CSCO12233954

‎04-10-2018 09:26 PM

Is the certificate you are trying to install from an internal CA?

 

From the error message it appears you may be trying to install a certificate from a subordinate CA and you don't have the root CA as a trusted CA already.

 

If that's the case, try first adding the root and subordinate CA certificates to your FMC. That way when it analyzes a certificate issued by the subordinate CA it will see a valid chain of trust back to the trusted root CA.

james.king14
Level 1
Level 1
In response to Marvin Rhoads

‎08-24-2018 07:15 AM

Having same issues with my cert.  I don't know the reason for my errors.  Not too much on the fingerprint error, really could use some guides or other document.

Preview file
108 KB
0 Helpful

Peter Koltl
Level 7
Level 7
In response to CSCO12233954

‎09-17-2021 08:35 AM

Self-signed (non-CA) certificates do not have the basic constraints CA flag but FTD requires that for the trustpoint.
Back in ASA it was possible to add no 'ca-check' to the trustpoint before adding the self signed certificate. Currently I also would like to know how to work around that in FTD/FMC.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Peter Koltl

‎09-19-2021 04:56 AM

It's a current limitation. This bug confirms it for FDM (same applies for FMC):

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu95526

Ask your local Cisco SE to add your need for this feature via a Firestarter request. They seem to not care so much about this since the Cisco-preferred and supported MFA solution (Duo) doesn't have the limitation in the certificates it uses.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents