Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4303
Views
4
Helpful
11
Replies

FMC Remote Access VPN Certificate enrollment

Go to solution
atsukane
Level 3
Level 3

‎12-21-2023 04:33 AM - edited ‎12-21-2023 04:34 AM

Hi there,

Having trouble renewing SSL cert for RA VPN on FMC, both FMC and FTD are running 7.2.4. 

At this stage we just need to be able to browse or use AnyConnect client to access the FQDN without certificate error.

Renewing SSL cert was simple and straight forward job on ASA, and the existing SSL cert in use was exported from ASA so this is the first time we are doing this on FMC. 

I've read some threads and other people's blogs but so far no luck and unable to renew the RA VPN certificate.

I've pretty much followed the steps in the link below, but after importing the 3rd party signed SSL cert, the CA cert was not available.  (Under the CA Information tab, selected enrollment type "Manual" and left the CA certificate filed empty)

Renew Cisco Firepower Remote Access VPN SSL Certificate - IT Networks

I then found a thread on Cisco Community to use an app called XCA, import all cert chain then export it to PKSC#12 (.p12) format. However, since we don't have the private key, exporting in p12 is not an option. And exporting private key form FMC is not available either. 

So, I've removed enrolled certs, then re-added a new certificate enrollement, this time added 3rd party CA certificate, then generated CSR, then SSL cert re-isssued by Sectigo again.

However, this time I'm failing to import the ID cert

Any suggestion or advise on how to achieve this is highly appreciated.

Many thanks,

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎12-21-2023 05:36 AM

@atsukane it's straight forward using the manual enrollment method, you don't need to use OpenSSL on 7.2 version. I just add the CA certificate when generating the CSR, then once the identity certificate is signed import the certificate. You can add the CA certificate once the identity certificate is imported, you just need to enrol the trustpoint on the FTD.

Please provide screenshots of what trustpoints you have configured and any errors.

View solution in original post

11 Replies 11

Go to solution
atsukane
Level 3
Level 3
In response to balaji.bandi

‎12-21-2023 05:22 AM

Thanks @balaji.bandi 

The Manual Enrollment process seems to be similar and looks pretty much the same as what I'm doing, don't understand why it's failing.

Since the existing cert in use is PKSC12 format, I can't renew and use OpenSSL or something similar. 

Maybe it's time to learn how to use OpenSSL

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎12-21-2023 05:36 AM

@atsukane it's straight forward using the manual enrollment method, you don't need to use OpenSSL on 7.2 version. I just add the CA certificate when generating the CSR, then once the identity certificate is signed import the certificate. You can add the CA certificate once the identity certificate is imported, you just need to enrol the trustpoint on the FTD.

Please provide screenshots of what trustpoints you have configured and any errors.

Go to solution
atsukane
Level 3
Level 3
In response to Rob Ingram

‎12-21-2023 05:46 AM

Thanks @Rob Ingram 

Here are screenshots of the trustpoints and error when importing the ID cert.

atsukane_0-1703166167754.png

atsukane_1-1703166196420.png

atsukane_2-1703166323597.png

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎12-21-2023 05:55 AM - edited ‎12-21-2023 06:03 AM

@atsukane so is the identity certificate you are importing the signed certificate generated from the CSR of that trustpoint?

0 Helpful

Go to solution
atsukane
Level 3
Level 3
In response to Rob Ingram

‎12-21-2023 06:06 AM

@Rob Ingram  Yes, as I was in doubt I've double checked the CSR matches the one that's displayed when you hit the enrol button. 

And the CA certificate in the trustpoint is the same 3rd party CA that we received the previous year.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎12-21-2023 06:21 AM

@atsukane it sounds like something is incorrect. Create a new trustpoint and get the new CSR signed by the CA and import.

Go to solution
atsukane
Level 3
Level 3
In response to Rob Ingram

‎12-21-2023 06:26 AM

Thanks will do and report back.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to atsukane

‎12-21-2023 06:38 AM

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/217966-configure-anyconnect-certificate-based-a.html

Check this guid.

I will check later your link' until that time follow the guide I share 

MHM

 

0 Helpful

Go to solution
atsukane
Level 3
Level 3
In response to Rob Ingram

‎12-21-2023 02:35 PM

After further investigation and comparing the working CA in PKCS#12 format and the new non-working one, it turns out the working one is using the intermediate CA, whereas the new non-working one that is failing to import ID cert is using the ROOT CA. 

So, I've re-generated the CSR from trustpoint using the intermediate CA and waiting for the ID cert to be re-issued.

I'll report back with the result.

Thanks,

 

0 Helpful

Go to solution
atsukane
Level 3
Level 3
In response to atsukane

‎12-22-2023 02:18 AM

Right, I'm pleased to report that using the intermediate CA in the trustpoint has resolved the issue. 

Thanks all!

Customers Also Viewed These Support Documents