07-02-2022 07:36 AM
Hi community members,
I need help here. we are using FTD 4125 physical appliance and configured SSL VPN with self-signed cert. whenever users try to connect AnyConnect, the application prompt warning that this is not trusted CA.
I do not want to purchase global CA. I would like to export self-signed cert and install in user's computers. But i do not see any options to download the self-signed cert in FMC.
Is there any method to export this self-signed cert.?
Solved! Go to Solution.
07-05-2022 01:30 AM
Did you add the firewall FQDN that you are using to connect to the VPN in the certificate as a CN or a SAN value? also, if you want to use the IP then you should add the IP address as a SAN in the certificate as well.
07-02-2022 08:24 AM
07-02-2022 09:29 AM
Hi MHM,
I have gone through the document that you shared belongs to RV34x series. I am already using the self-signed cert. But i am want to know how to download from FMC using GUI or FTD using CLI.
07-02-2022 09:33 AM
07-02-2022 10:52 AM
If you already generate the Self signed cert and you need to export it on the other client what you can do is to FMC-->Devices--->Certificates
here you will see your Certificate. and export it.
07-02-2022 01:20 PM
As Sheraz.Salim points out, you can download the certificate in FMC via the same page you generate and manage the self-signed certificate (Devices->Certificates).
You can also always just download the certificate by browsing to the VPN headend url/ip address from the outside, view the certificate in your browser, and save it to a file.
I would also like to point out that if you're using Active Directory to manage the computers, it would be fairly easy to set up an internal CA (if you don't already have one) and use it to sign/generate a certificate for your ssl-vpn setup. That way you have all the proper tools built in to distribute the root ca so the computers trust the ssl-vpn certificate without manually distributing the sslvpn certificate itself to all the clients.
(As a side note, in my experience it's easiest just to use a publicly signed certificate, you can get them pretty cheap.)
07-04-2022 08:59 PM
Hi,
I have downloaded the cert using the browser. I installed the cert in the browser. but I am still getting a cert warning.
AnyConnect showing the error like and connect cannot verify server:x.y.z.x certificate does not match the server name.
screenshot is attached for reference.
07-04-2022 09:01 PM
Hi, i am facing the below error. after self-signed cert is stored in trust authority.
07-05-2022 01:30 AM
Did you add the firewall FQDN that you are using to connect to the VPN in the certificate as a CN or a SAN value? also, if you want to use the IP then you should add the IP address as a SAN in the certificate as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide