Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
937
Views
5
Helpful
8
Replies

FTD VPN Self-Signed Cert download

Go to solution
Vishnu_RR
Level 1
Level 1

‎07-02-2022 07:36 AM

Hi community members,

I need help here. we are using FTD 4125 physical appliance and configured SSL VPN with self-signed cert. whenever users try to connect AnyConnect, the application prompt warning that this is not trusted CA.

 

I do not want to purchase global CA. I would like to export self-signed cert and install in user's computers. But i do not see any options to download the self-signed cert in FMC.

 

Is there any method to export this self-signed cert.?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎07-05-2022 01:30 AM

Did you add the firewall FQDN that you are using to connect to the VPN in the certificate as a CN or a SAN value? also, if you want to use the IP then you should add the IP address as a SAN in the certificate as well.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Vishnu_RR
Level 1
Level 1
In response to MHM Cisco World

‎07-02-2022 09:29 AM

Hi MHM,

I have gone through the document that you shared belongs to RV34x series. I am already using the self-signed cert. But i am want to know how to download from FMC using GUI or FTD using CLI.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎07-02-2022 10:52 AM

If you already generate the Self signed cert and you need to export it on the other client what you can do is to FMC-->Devices--->Certificates

here you will see your Certificate. and export it.certexport.PNG

 

please do not forget to rate.
0 Helpful

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎07-02-2022 01:20 PM

As Sheraz.Salim points out, you can download the certificate in FMC via the same page you generate and manage the self-signed certificate (Devices->Certificates).

You can also always just download the certificate by browsing to the VPN headend url/ip address from the outside, view the certificate in your browser, and save it to a file.

 

I would also like to point out that if you're using Active Directory to manage the computers, it would be fairly easy to set up an internal CA (if you don't already have one) and use it to sign/generate a certificate for your ssl-vpn setup. That way you have all the proper tools built in to distribute the root ca so the computers trust the ssl-vpn certificate without manually distributing the sslvpn certificate itself to all the clients.

 

(As a side note, in my experience it's easiest just to use a publicly signed certificate, you can get them pretty cheap.)

 

Go to solution
Vishnu_RR
Level 1
Level 1

‎07-04-2022 08:59 PM

Hi,

I have downloaded the cert using the browser. I installed the cert in the browser. but I am still getting a cert warning. 

AnyConnect showing the error like and connect cannot verify server:x.y.z.x certificate does not match the server name.

 

screenshot is attached for reference.

 

0 Helpful

Go to solution
Vishnu_RR
Level 1
Level 1
In response to Vishnu_RR

‎07-04-2022 09:01 PM

Hi, i am facing the below error. after self-signed cert is stored in trust authority.

anyconnect cert warning.PNG

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎07-05-2022 01:30 AM

Did you add the firewall FQDN that you are using to connect to the VPN in the certificate as a CN or a SAN value? also, if you want to use the IP then you should add the IP address as a SAN in the certificate as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents