05-07-2020 04:14 PM
HI Experts,
I have a FMC managing 2 sensors in HA which is providing RA-VPN services. At the moment we are using Self Signed Certificate and it is working very well. However we generated a CSR from OpenSSL and got it signed from a public CA, we already have the CA intermediate certificate, Root Certificate and Identity certificate. But for our certificate we have 2 subject alternative names assigned. I tried multiple ways to get this certificate uploaded in to my FMC to VPN Web Server.
Below are the steps I followed.
Certificate Enrollment ==> Manual ==>Pasted the Intermediate CA certificate, note I did not configure any certificate parameters.
Devices ==> Certificates ==> Add new Certificate ==> Selected previously created CA enrollment profile
Next I tried importing the identity certificate, I was prompted to upload the identity certificate with a CSR, for the CSR I removed and pasted the CSR which I created using OpenSSL and then uploaded the identity certificate.
But again I was prompted to import the identity certificate. Can you guys advise me where I went wrong?
Solved! Go to Solution.
05-07-2020 04:51 PM - edited 05-07-2020 05:04 PM
I had a very similar issue in few past days like your. I create a CSR from openssl and got it signed from public certificate. my out come was same as your. At the end i took a different approach and it fix my issue.
Below are the steps I followed.
Certificate Enrollment ==> Manual ==>Pasted the Root CA certificate (I did not pasted the sub-ca only root ca), filled up certificate parameters for example custom FQDN abc.com, device ip address x.x.x.x , OU, country US etc.
Devices ==> Certificates ==> Add new Certificate ==> Selected previously created CA enrollment profile
Next I tried importing the identity certificate, I was prompted to upload the identity certificate with a CSR, for that CSR I copy and pasted the CSR to public CA authority. once my CSR get accepted after few hour later i get my cert bundle from cert authority i download the cert bundle and upload the identity certificate. the identity cert was accepted.
hope this will help you. as i said i had same issues the one you having.
Here in detail what you need doing.
Instead of using openssl, use the Manual enrolment method via WebUI.
Navigate to Objects > Object Management > PKI > Cert Enrollment
Click Add Cert Enrollment
Define name as VPN_Cert
Select Enrollment Type as Manual
Paste the Public CA certificate chain in the CA Certificate field
Click the Certificate Parameters tab and complete the certificate parameters for the identity certificate
Click Save
Navigate to Devices > Certificates
Click Add
From the Device drop-down list select FTD
From the Cert Enrollment drop-down list select VPN_Cert
Click Add
Click the ID button
Click Yes when prompted to generate a Certificate Signing Request
Copy the contents of the CSR and send to Public CA to sign the certificate
Once the certificate has been signed by Public CA return to the Import Identity Certificate wizard
Click Browse Identity Certificate and select the identity certificate signed by Public CA
Click Import
05-07-2020 04:51 PM - edited 05-07-2020 05:04 PM
I had a very similar issue in few past days like your. I create a CSR from openssl and got it signed from public certificate. my out come was same as your. At the end i took a different approach and it fix my issue.
Below are the steps I followed.
Certificate Enrollment ==> Manual ==>Pasted the Root CA certificate (I did not pasted the sub-ca only root ca), filled up certificate parameters for example custom FQDN abc.com, device ip address x.x.x.x , OU, country US etc.
Devices ==> Certificates ==> Add new Certificate ==> Selected previously created CA enrollment profile
Next I tried importing the identity certificate, I was prompted to upload the identity certificate with a CSR, for that CSR I copy and pasted the CSR to public CA authority. once my CSR get accepted after few hour later i get my cert bundle from cert authority i download the cert bundle and upload the identity certificate. the identity cert was accepted.
hope this will help you. as i said i had same issues the one you having.
Here in detail what you need doing.
Instead of using openssl, use the Manual enrolment method via WebUI.
Navigate to Objects > Object Management > PKI > Cert Enrollment
Click Add Cert Enrollment
Define name as VPN_Cert
Select Enrollment Type as Manual
Paste the Public CA certificate chain in the CA Certificate field
Click the Certificate Parameters tab and complete the certificate parameters for the identity certificate
Click Save
Navigate to Devices > Certificates
Click Add
From the Device drop-down list select FTD
From the Cert Enrollment drop-down list select VPN_Cert
Click Add
Click the ID button
Click Yes when prompted to generate a Certificate Signing Request
Copy the contents of the CSR and send to Public CA to sign the certificate
Once the certificate has been signed by Public CA return to the Import Identity Certificate wizard
Click Browse Identity Certificate and select the identity certificate signed by Public CA
Click Import
05-07-2020 05:09 PM
@Sheraz.Salim Thanks for the inputs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide