Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3689
Views
5
Helpful
6
Replies

changing the ssl certificate for anyconnect vpn

Go to solution
kapydan88
Level 4
Level 4

‎09-03-2020 05:33 AM

Hello for everybpdy.

 

We are going to change old ssl certificate on firepower 1140 by new ssl certificate. If i understood correclty, for this action i need delete current certificate from current anyconnect connection

ssl_1.JPG

 

Delete it from pki certificate

ssl_2.JPG

 

After that, i need to add a new ssl certificate with the same name and link it to the appropriate interface in the anyconnect profile.

 

ssl_1.JPG

 

Is this procedure correct, or ssl certificate need to be changed other way?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-03-2020 06:17 AM

Yes, once you've completed the process to import the new certificate, the certificate should state "available".

Deploy the policy to the FTD, confirm the new certificate is working correctly, at this point you can safely delete the old certificate trustpoint.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎09-03-2020 05:39 AM

Hi,

You don't need to delete the old certificate first. You can create the new trustpoint, authenticate and enrol. You would then just then select the new identity certificate from the drop-down list and deploy the policy. Once you've confirmed the new certificate is working you can then remove the old trustpoint.

 

HTH

0 Helpful

Go to solution
kapydan88
Level 4
Level 4
In response to Rob Ingram

‎09-03-2020 05:51 AM

But if old and new ssl certificate should have the same name, is it possible to realize your way?

for example, current  (old) certificate vpn.contoso.com

new certificate also should be vpn.contoso.com

Can i create two certificate with the same name?

ssl_2.JPG

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎09-03-2020 05:53 AM

Well no not if you want to use the same name. Obviously in that scenario you would have to delete the old certificate, but then you cannot revert to the old certificate if there was an issue. The trustpoint name does not necessarily need to match the name of the certificates fqdn.

0 Helpful

Go to solution
kapydan88
Level 4
Level 4
In response to Rob Ingram

‎09-03-2020 06:11 AM

I add new ssl like vpn1.contoso.com.

 

ssl_3.JPG

 

And now i can try it like vpn1.contoso.com

ssl_4.JPG

If everything will be fine with the new ssl certificate, i can delete the old ssl. Is this correct?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎09-03-2020 06:17 AM

Yes, once you've completed the process to import the new certificate, the certificate should state "available".

Deploy the policy to the FTD, confirm the new certificate is working correctly, at this point you can safely delete the old certificate trustpoint.

Go to solution
kapydan88
Level 4
Level 4
In response to Rob Ingram

‎09-03-2020 06:27 AM

It works.

 

 

0 Helpful
Customers Also Viewed These Support Documents