cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

239
Views
5
Helpful
2
Replies
Highlighted
Beginner

Trusted SSL certificate on VPN Remote Access

I have VPN Remote Access setup and working on our Firepower 4110, version 6.2.3.3 but I am now trying to install an SSL certificate for this Remote Access setup so that my users do not get SSL errors when trying to connect and use the AnyConnect client software. I have generated a CSR and submitted that to my CA for a cert, but cannot find how to get this properly imported into the Firepower and assigned to the VPN Remote Access interface.

 

Does anyone have step-by-step setup instructions for this process? I have tried creating certificates in Objects>PKI>Cert Enrollment using the "manual" process, but those don't seem to be available to assign to the Remote Access interface. 

 

I have also tried "adding" the CA generated (GoDaddy) certificate in Devices>Certificates but the certificate shows "failed to configure CA certificate" error with a red X by the CA icon. 

 

Any help would be appreciated. 

 

Gary Nickerson

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Trusted SSL certificate on VPN Remote Access

Hi,

You'll need to import the certificate as a PKCS12 enrollment type.

Here is an example, see the certificate import section.

 

HTH

View solution in original post

2 REPLIES 2
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Trusted SSL certificate on VPN Remote Access

Hi,

You'll need to import the certificate as a PKCS12 enrollment type.

Here is an example, see the certificate import section.

 

HTH

View solution in original post

Hall of Fame Guru

Re: Trusted SSL certificate on VPN Remote Access

@RJI mentioned the pkcs12 method. That's best when using a public CA.

I've been drafting a process for the manual method. It's a work in progress but here's what I have so far:

 

Reference document.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html#anc6

 

Objects > PKI > Cert Enrollment

Add Cert Enrollment

choose a locally significant name for it (no spaces)

Enrollment Type : Manual

You will need to paste in the certificate of your issuing CA

Fill out the certificate parameters, be sure to include FQDN by using “Custom FQDN” option with the actual FQDN.

Save the object

 

Devices > Certificates

Choose the device and assign the new object to it. This creates a Trustpoint on the object (pending deployment). It should be annotated "Identity certificate import required"

click the "Import Identity Certificate" icon to the right the looks like a page with an arrow on the top right of it ("re-enroll certificate" is the tool tip). that will generate the CSR and open up a window with the CSR and a place to import the signed certificate.

send the CSR to your CA.

retrieve the signed certificate as base 64 encoded. import that certificate file in the "Step 2" section of "Import Identity Certificate"

Click Import

You should now see both the CA and ID (Identity) icons in the Status column. You can inspect both to verify they are as expected.

 

Devices > VPN > Remote Access

Either create a new or modify an existing VPN profile

If creating new you will be prompted to choose the certificate.

If modifying an existing, choose Access Interfaces tab and select the new SSL Global Identity Certificate from the dropdown menu

 

Save and Deploy

 

make sure your FQDN is published in your DNS and resolving (can use local hosts file for testing purposes)

 

browse to the FQDN via https (or enter the device FQDN directly in AnyConnect VPN tile user interface)

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here