cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
761
Views
2
Helpful
7
Replies

Import ID Cert

So trying to upload a cert for RA-VPN on FMC. I have a CA authority signed cert already and it is asking for the Identity cert. I have all the certs that were issued, Do i still need to send the CSR to the Cert Authority for a new ID cert? Or is there another way to do this?

Thanks 

2 Accepted Solutions

Accepted Solutions

@00u18jg7x27DHjRMh5d7 are you connecting to the VPN using the IP address? If the certificate only has the FQDN and not the IP address it will error. Try connecting using the name as per the certificate.

View solution in original post

@00u18jg7x27DHjRMh5d7 

Looks like you are initiating the VPN connection using IP Address . If the Server certificate only has FQDN and not the IP address , it will give this untrusted warning ( as expected ) . To avoid error you will have to connect with FQDN . 

PRE-CHECKS:-

You have already succeeded importing the certificate on FTD via FMC as you see both CA and ID in there . This imported Pkcs12 will also have trustpoint name on FMC ( see below - in my case is SSL Anyconnect ) 

Screenshot 2023-05-04 at 11.41.41 PM.png

Have you called this trustpoint in Following Section -  Device>VPN>RemoteAccess>AccessInterface>SSLGlobal Identity certificate

Screenshot 2023-05-04 at 11.53.30 PM.png






View solution in original post

7 Replies 7

Salman Mahajan
Cisco Employee
Cisco Employee

@00u18jg7x27DHjRMh5d7 I know it has been a while since you posted this query . I was curios to know if you were able to solve this . If you still have any query on the same let me know , i will be happy to answer . 

I have not been able to solve this issue. We created a PKCS12 cert that sees CA and ID but still receive an error untrusted cert. So something is still not correct. 

I would be happy to hear any suggestions.

Thank You.

@00u18jg7x27DHjRMh5d7 Have few ask
1. What Challenge are you facing exactly .
2. Is it import failure or something else ? 
3. What device are you importing pkcs12 cert to ? 
4  Can you share error screenshot of error  ? 

I am attempting to load an SSL cert on a Firepower device through FMC. My old FP was stand alone. I now have FMC and I am trying to configure it and perform a switchover with minimum network interruption or remote users seeing a change.

The SSL cert on old FP had to be converted to a .PEM file wasn’t that hard to do. On the FMC there are several ways to add the Cert. I attempted to add it manually it sees the CA not the ID. Prompts me to submit info to the RA for ID cert. I cannot find on the RA’s page where I can request that unfortunately. I was able to convert the current cert into a PKCS12 FMC accepts it and sees the CA and ID but I am still getting the following error.(See Below).

I am trying to find the most efficient way to add cert without error moving forward.

00u18jg7x27DHjRMh5d7_0-1683210041477.png

 

@00u18jg7x27DHjRMh5d7 are you connecting to the VPN using the IP address? If the certificate only has the FQDN and not the IP address it will error. Try connecting using the name as per the certificate.

There is a FQDN but it is in use by the live VPN. I am using a redundant ISP connection to test so I have to use IP or it will route to the current production VPN. It will have the same FQDN so when I switch over the remote staff will not have to change anything.

@00u18jg7x27DHjRMh5d7 

Looks like you are initiating the VPN connection using IP Address . If the Server certificate only has FQDN and not the IP address , it will give this untrusted warning ( as expected ) . To avoid error you will have to connect with FQDN . 

PRE-CHECKS:-

You have already succeeded importing the certificate on FTD via FMC as you see both CA and ID in there . This imported Pkcs12 will also have trustpoint name on FMC ( see below - in my case is SSL Anyconnect ) 

Screenshot 2023-05-04 at 11.41.41 PM.png

Have you called this trustpoint in Following Section -  Device>VPN>RemoteAccess>AccessInterface>SSLGlobal Identity certificate

Screenshot 2023-05-04 at 11.53.30 PM.png






Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers