Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
761
Views
2
Helpful
7
Replies

Import ID Cert

Go to solution
00u18jg7x27DHjRMh5d7
Beginner
Beginner

ā€Ž05-01-2023 01:31 PM - edited ā€Ž05-02-2023 08:59 AM

So trying to upload a cert for RA-VPN on FMC. I have a CA authority signed cert already and it is asking for the Identity cert. I have all the certs that were issued, Do i still need to send the CSR to the Cert Authority for a new ID cert? Or is there another way to do this?

Thanks 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to 00u18jg7x27DHjRMh5d7

ā€Ž05-04-2023 07:38 AM

@00u18jg7x27DHjRMh5d7 are you connecting to the VPN using the IP address? If the certificate only has the FQDN and not the IP address it will error. Try connecting using the name as per the certificate.

View solution in original post

Go to solution
Salman Mahajan
Cisco Employee
Cisco Employee
In response to 00u18jg7x27DHjRMh5d7

ā€Ž05-04-2023 11:26 AM

@00u18jg7x27DHjRMh5d7 

Looks like you are initiating the VPN connection using IP Address . If the Server certificate only has FQDN and not the IP address , it will give this untrusted warning ( as expected ) . To avoid error you will have to connect with FQDN . 

PRE-CHECKS:-

You have already succeeded importing the certificate on FTD via FMC as you see both CA and ID in there . This imported Pkcs12 will also have trustpoint name on FMC ( see below - in my case is SSL Anyconnect ) 

Screenshot 2023-05-04 at 11.41.41 PM.png

Have you called this trustpoint in Following Section -  Device>VPN>RemoteAccess>AccessInterface>SSLGlobal Identity certificate

Screenshot 2023-05-04 at 11.53.30 PM.png





View solution in original post

7 Replies 7

Go to solution
Salman Mahajan
Cisco Employee
Cisco Employee

ā€Ž05-03-2023 12:19 PM

@00u18jg7x27DHjRMh5d7 I know it has been a while since you posted this query . I was curios to know if you were able to solve this . If you still have any query on the same let me know , i will be happy to answer . 

0 Helpful

Go to solution
00u18jg7x27DHjRMh5d7
Beginner
Beginner
In response to Salman Mahajan

ā€Ž05-03-2023 12:39 PM

I have not been able to solve this issue. We created a PKCS12 cert that sees CA and ID but still receive an error untrusted cert. So something is still not correct. 

I would be happy to hear any suggestions.

Thank You.

0 Helpful

Go to solution
Salman Mahajan
Cisco Employee
Cisco Employee
In response to 00u18jg7x27DHjRMh5d7

ā€Ž05-03-2023 12:51 PM

@00u18jg7x27DHjRMh5d7 Have few ask
1. What Challenge are you facing exactly .
2. Is it import failure or something else ? 
3. What device are you importing pkcs12 cert to ? 
4  Can you share error screenshot of error  ? 

0 Helpful

Go to solution
00u18jg7x27DHjRMh5d7
Beginner
Beginner
In response to Salman Mahajan

ā€Ž05-04-2023 07:21 AM

I am attempting to load an SSL cert on a Firepower device through FMC. My old FP was stand alone. I now have FMC and I am trying to configure it and perform a switchover with minimum network interruption or remote users seeing a change.

The SSL cert on old FP had to be converted to a .PEM file wasnā€™t that hard to do. On the FMC there are several ways to add the Cert. I attempted to add it manually it sees the CA not the ID. Prompts me to submit info to the RA for ID cert. I cannot find on the RAā€™s page where I can request that unfortunately. I was able to convert the current cert into a PKCS12 FMC accepts it and sees the CA and ID but I am still getting the following error.(See Below).

I am trying to find the most efficient way to add cert without error moving forward.

00u18jg7x27DHjRMh5d7_0-1683210041477.png

 

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to 00u18jg7x27DHjRMh5d7

ā€Ž05-04-2023 07:38 AM

@00u18jg7x27DHjRMh5d7 are you connecting to the VPN using the IP address? If the certificate only has the FQDN and not the IP address it will error. Try connecting using the name as per the certificate.

Go to solution
00u18jg7x27DHjRMh5d7
Beginner
Beginner
In response to Rob Ingram

ā€Ž05-04-2023 12:38 PM - edited ā€Ž05-04-2023 12:39 PM

There is a FQDN but it is in use by the live VPN. I am using a redundant ISP connection to test so I have to use IP or it will route to the current production VPN. It will have the same FQDN so when I switch over the remote staff will not have to change anything.

0 Helpful

Go to solution
Salman Mahajan
Cisco Employee
Cisco Employee
In response to 00u18jg7x27DHjRMh5d7

ā€Ž05-04-2023 11:26 AM

@00u18jg7x27DHjRMh5d7 

Looks like you are initiating the VPN connection using IP Address . If the Server certificate only has FQDN and not the IP address , it will give this untrusted warning ( as expected ) . To avoid error you will have to connect with FQDN . 

PRE-CHECKS:-

You have already succeeded importing the certificate on FTD via FMC as you see both CA and ID in there . This imported Pkcs12 will also have trustpoint name on FMC ( see below - in my case is SSL Anyconnect ) 

Screenshot 2023-05-04 at 11.41.41 PM.png

Have you called this trustpoint in Following Section -  Device>VPN>RemoteAccess>AccessInterface>SSLGlobal Identity certificate

Screenshot 2023-05-04 at 11.53.30 PM.png





Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents