AnyConnect - changing VPN CA

AigarsK · ‎03-14-2023

Hi All,

I am seeking guidance on process of changing CA.

We currently use Firepower firewalls at HQ managed by FMC. It is configured for Remote Access and has been uploaded with both AnyConnect Client Image and AnyConnect VPN Profile.

Same Cisco AnyConenct VPN Profile has been pre-deployed on all client machines using SCCM during its initial build and is used for AnyConnect client updates.

I have been tasked to update the settings on Firepower firewall to be with new internal CA server (when I say new, it refers to new Root CA all together). Looking at AnyConenct VPN Profile XML file I see that under Certificate Matching entry has been provided to match ISSUER-CN against old CA which is the one currently used to sign certificate installed on Firepower Firewall.

I have been trying to add new CA server ISSUER-CN along with the old one and manually placed file on client machine, restarted vpnagent service and was met with message "Certificate Validation Failure"

This leads me to believe that Certificate Matching does not operate with "OR" statement, but more with "AND" in case you have many certificates present on machine in order to pinpoint the one you want to use for validation (correct me if I am wrong here)

So the question stands, what would be the process to replace CA on Firepower Firewall and update clients to be able to validate against this new CA?

I would appreciate collective input on this or any link to material discussing this procedure.

M02@rt37 · ‎03-16-2023

Hello @AigarsK

Here is a high-level (macro) overview of the process [Replacing the CA on a Firepower firewall]:

1-- First, generate new root CA and intermediate CA certificates using your new CA server.

2-- Next, install the new certificates on the Firepower firewall. You can do this by navigating to System > Certificates > CA Certificates in the FMC and clicking "Add". Upload the new root CA and intermediate CA certificates here.

3-- You will need to replace the existing SSL/TLS certificate on the Firepower firewall with a new certificate signed by the new intermediate CA certificate. You can do this by navigating to System > Certificates > Identity Certificates in the FMC and clicking "Add". => Upload the new SSL/TLS certificate here.

4-- In the AnyConnect VPN Profile XML file, update the Certificate Matching entry to include both the old and new ISSUER-CN. This should allow clients to validate against either certificate.

5-- Distribute the updated AnyConnect VPN Profile XML file to all clients that use AnyConnect VPN. You can do this using your SCCM or any other software deployment tool.

6-- Once the new VPN Profile XML file has been distributed to clients, test the new configuration to ensure that clients are able to connect to the VPN successfully and that certificate validation is working correctly.

---There may be additional steps depending on your specific environment/configuration---

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

AigarsK · ‎03-18-2023

Thanks for reply,

This is what I was worried about as this does look like intrusive to the user experience, odd that having user side XML does not allow for trusting both certificates as that would allow for file replacement without disruption and once SCCM has done its thing to go about replacing the cert on Firewall.

steve.horton · ‎01-21-2024

Step 4 doesn't work as advertised. I have this exact issue and had already done what it looks like you recommend here.. and I get a cert validation error. It seems to be doing an AND not an OR.

Also you shouldn't need to distribute the new xml to existing clients if you update the xml for thier existing tunnel group(s) on the headends since the client will pull down the one from the headend (if they don't match) and replace the one they have in the profile dir, by the same name. At least that's how we do it.. while also adding the updated XML to the gold disk OS image when we hit about 50% of users or so.