cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1792
Views
15
Helpful
2
Replies

FMC - Certificate for RA VPN

Arshad Safrulla
VIP Alumni
VIP Alumni

HI Experts,

I have a FMC managing 2 sensors in HA which is providing RA-VPN services. At the moment we are using Self Signed Certificate and it is working very well. However we generated a CSR from OpenSSL and got it signed from a public CA, we already have the CA intermediate certificate, Root Certificate and Identity certificate. But for our certificate we have 2 subject alternative names assigned. I tried multiple ways to get this certificate uploaded in to my FMC to VPN Web Server.

Below are the steps I followed.

Certificate Enrollment ==> Manual ==>Pasted the Intermediate CA certificate, note I did not configure any certificate parameters.

Devices ==> Certificates ==> Add new Certificate ==> Selected previously created CA enrollment profile

Next I tried importing the identity certificate, I was prompted to upload the identity certificate with a CSR, for the CSR I removed and pasted the CSR which I created using OpenSSL and then uploaded the identity certificate.

But again I was prompted to import the identity certificate. Can you guys advise me where I went wrong?

 

1 Accepted Solution

Accepted Solutions

I had a very similar issue in few past days like your. I create a CSR from openssl and got it signed from public certificate. my out come was same as your. At the end i took a different approach and it fix my issue.

 

Below are the steps I followed.

Certificate Enrollment ==> Manual ==>Pasted the Root CA certificate (I did not pasted the sub-ca only root ca), filled up certificate parameters for example custom FQDN abc.com, device ip address x.x.x.x , OU, country US etc.

Devices ==> Certificates ==> Add new Certificate ==> Selected previously created CA enrollment profile

 

Next I tried importing the identity certificate, I was prompted to upload the identity certificate with a CSR, for that CSR I copy and pasted the CSR to public CA authority. once my CSR get accepted after few hour later i get my cert bundle from cert authority i download the cert bundle and upload the identity certificate. the identity cert was accepted.

 

hope this will help you. as i said i had same issues the one you having.

 

 

Here in detail what you need doing.

Instead of using openssl, use the Manual enrolment method via WebUI.

 

Navigate to Objects > Object Management > PKI > Cert Enrollment

Click Add Cert Enrollment

Define name as VPN_Cert

Select Enrollment Type as Manual

Paste the Public CA certificate chain in the CA Certificate field

Click the Certificate Parameters tab and complete the certificate parameters for the identity certificate

Click Save

Navigate to Devices > Certificates

Click Add

From the Device drop-down list select FTD

From the Cert Enrollment drop-down list select VPN_Cert

Click Add

Click the ID  button

Click Yes when prompted to generate a Certificate Signing Request

Copy the contents of the CSR and send to Public CA to sign the certificate

Once the certificate has been signed by Public CA return to the Import Identity Certificate wizard

Click Browse Identity Certificate and select the identity certificate signed by Public CA

Click Import

please do not forget to rate.

View solution in original post

2 Replies 2

I had a very similar issue in few past days like your. I create a CSR from openssl and got it signed from public certificate. my out come was same as your. At the end i took a different approach and it fix my issue.

 

Below are the steps I followed.

Certificate Enrollment ==> Manual ==>Pasted the Root CA certificate (I did not pasted the sub-ca only root ca), filled up certificate parameters for example custom FQDN abc.com, device ip address x.x.x.x , OU, country US etc.

Devices ==> Certificates ==> Add new Certificate ==> Selected previously created CA enrollment profile

 

Next I tried importing the identity certificate, I was prompted to upload the identity certificate with a CSR, for that CSR I copy and pasted the CSR to public CA authority. once my CSR get accepted after few hour later i get my cert bundle from cert authority i download the cert bundle and upload the identity certificate. the identity cert was accepted.

 

hope this will help you. as i said i had same issues the one you having.

 

 

Here in detail what you need doing.

Instead of using openssl, use the Manual enrolment method via WebUI.

 

Navigate to Objects > Object Management > PKI > Cert Enrollment

Click Add Cert Enrollment

Define name as VPN_Cert

Select Enrollment Type as Manual

Paste the Public CA certificate chain in the CA Certificate field

Click the Certificate Parameters tab and complete the certificate parameters for the identity certificate

Click Save

Navigate to Devices > Certificates

Click Add

From the Device drop-down list select FTD

From the Cert Enrollment drop-down list select VPN_Cert

Click Add

Click the ID  button

Click Yes when prompted to generate a Certificate Signing Request

Copy the contents of the CSR and send to Public CA to sign the certificate

Once the certificate has been signed by Public CA return to the Import Identity Certificate wizard

Click Browse Identity Certificate and select the identity certificate signed by Public CA

Click Import

please do not forget to rate.

@Sheraz.Salim Thanks for the inputs

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: