cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2620
Views
0
Helpful
9
Replies

Install a VPN SSL certificate without CSR

Hello,

We have a FMC with a pair of Firepower 2110 in HA. Because the certificate asociated to the VPN SSL trustpoint is about to expire, we need to renew the certificate. We issued the CSR to the client for get the new certificate but the client changed the CA provider, so they shared with us a generic certificates (.cer, .pfx and .p7b) to apply to the VPN. I have understood that is necesary the CSR to generate the certificate but I'd like to know if it's possible to install this generic certificate from scratch as the new trustpoint for the SSL VPN?

If possible how could you apply it and what are the possible issues (warning messages at the moment of the Anyconnect vpn connection).

Thanks in advance.

9 Replies 9

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html

you need to add root CA cert and generate CSR for FTD identity cert for new root CA 

MHM

@LuigiDiFronzo9542 you don't need to generate the CSR on the ASA or FTD itself.

What format is the file in? If the file is a PFX/PKCS12 format that bundles together the identity certificate, root certificate chain and private key you can import this to the ASA using crypto ca import <trustpoint> pkcs12 <passphrase> and paste the contents of the file.

 

Thanks MHM and Rob,

I was provided with a .cer, a .pfx and a .p7b file for the certificates. So I understood that I could import the .pfx certificates using the passphrase and after that I could associate the interface associated to the SSL VPN with this new generic certificate imported.

Is that correct?

Hello,

I installed the certificate .pfx through the FMC at Devices --> Certificates. I noticed that an error symbol appeared in the Status column indicating 'CA certificate is not available for this enrollment, PKCS12 certificate may not contain the CA certificate'. I attached the image with the error.

Despite this error, the certificate was assigned to the interface and works as expected. The root certificate is also installed in Trusted Certificates. What could be the reason for this error?

Thanks. 

Try check thr cert. Issuer is same as CA or different?

MHM

The issuer of the certificate is the intermediate entity, and on the other hand the issuer of the intermediate is the root CA.

So the issuer of the Identity is the same as the intermediate certificate installed in trusted Cert.

I attached the images.

Any idea?

Thanks.

Then you need to add CA abd sub CA 

MHM

@LuigiDiFronzo9542 create another trustpoint that contains just the root CA certificate, then enroll this to the FTD. This will push down the root CA certificate to the FTD. You can run "show crypto ca certificates" from the FTD CLI to confirm.

Thank you for your responses,

For the Turstpoint I have this information:

Certificate
Status: Available
Certificate Serial Number: 03e252ac2a69577abfc0507a87f77eb0
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: RSA-SHA256
Issuer Name:
CN=SSL.com RSA SSL subCA
O=SSL Corporation
L=Houston
ST=Texas
C=US
Subject Name:
CN=*.Name
OCSP AIA:
URL: http://ocsps.ssl.com
CRL Distribution Points:
[1] http://crls.ssl.com/SSLcom-SubCA-SSL-RSA-4096-R1.crl
Validity Date:
start date: 16:11:16 UTC Mar 12 2024
end date: 16:11:16 UTC Apr 12 2025
Storage: config
Associated Trustpoints: Name

In this case the Issuer is the intermediate certificate.

Could you explain me the procedure to create another trustpoint with the CA root certificate? The name of this trustpoint must be the same?

Thanks