cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1760
Views
5
Helpful
6
Replies

changing the ssl certificate for anyconnect vpn

kapydan88
Enthusiast
Enthusiast

Hello for everybpdy.

 

We are going to change old ssl certificate on firepower 1140 by new ssl certificate. If i understood correclty, for this action i need delete current certificate from current anyconnect connection

ssl_1.JPG

 

Delete it from pki certificate

ssl_2.JPG

 

After that, i need to add a new ssl certificate with the same name and link it to the appropriate interface in the anyconnect profile.

 

ssl_1.JPG

 

Is this procedure correct, or ssl certificate need to be changed other way?

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Yes, once you've completed the process to import the new certificate, the certificate should state "available".

Deploy the policy to the FTD, confirm the new certificate is working correctly, at this point you can safely delete the old certificate trustpoint.

View solution in original post

6 Replies 6

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Hi,

You don't need to delete the old certificate first. You can create the new trustpoint, authenticate and enrol. You would then just then select the new identity certificate from the drop-down list and deploy the policy. Once you've confirmed the new certificate is working you can then remove the old trustpoint.

 

HTH

But if old and new ssl certificate should have the same name, is it possible to realize your way?

for example, current  (old) certificate vpn.contoso.com

new certificate also should be vpn.contoso.com

Can i create two certificate with the same name?

ssl_2.JPG

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Well no not if you want to use the same name. Obviously in that scenario you would have to delete the old certificate, but then you cannot revert to the old certificate if there was an issue. The trustpoint name does not necessarily need to match the name of the certificates fqdn.

I add new ssl like vpn1.contoso.com.

 

ssl_3.JPG

 

And now i can try it like vpn1.contoso.com

ssl_4.JPG

If everything will be fine with the new ssl certificate, i can delete the old ssl. Is this correct?

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Yes, once you've completed the process to import the new certificate, the certificate should state "available".

Deploy the policy to the FTD, confirm the new certificate is working correctly, at this point you can safely delete the old certificate trustpoint.

It works.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers