Re: Install a VPN SSL certificate without CSR

LuigiDiFronzo9542 · ‎05-06-2024

Hello,

We have a FMC with a pair of Firepower 2110 in HA. Because the certificate asociated to the VPN SSL trustpoint is about to expire, we need to renew the certificate. We issued the CSR to the client for get the new certificate but the client changed the CA provider, so they shared with us a generic certificates (.cer, .pfx and .p7b) to apply to the VPN. I have understood that is necesary the CSR to generate the certificate but I'd like to know if it's possible to install this generic certificate from scratch as the new trustpoint for the SSL VPN?

If possible how could you apply it and what are the possible issues (warning messages at the moment of the Anyconnect vpn connection).

Thanks in advance.

MHM Cisco World · ‎05-06-2024

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html

you need to add root CA cert and generate CSR for FTD identity cert for new root CA

MHM

Rob Ingram · ‎05-06-2024

@LuigiDiFronzo9542 you don't need to generate the CSR on the ASA or FTD itself.

What format is the file in? If the file is a PFX/PKCS12 format that bundles together the identity certificate, root certificate chain and private key you can import this to the ASA using crypto ca import <trustpoint> pkcs12 <passphrase> and paste the contents of the file.

LuigiDiFronzo9542 · ‎05-06-2024

Thanks MHM and Rob,

I was provided with a .cer, a .pfx and a .p7b file for the certificates. So I understood that I could import the .pfx certificates using the passphrase and after that I could associate the interface associated to the SSL VPN with this new generic certificate imported.

Is that correct?

LuigiDiFronzo9542 · ‎05-08-2024

Hello,

I installed the certificate .pfx through the FMC at Devices --> Certificates. I noticed that an error symbol appeared in the Status column indicating 'CA certificate is not available for this enrollment, PKCS12 certificate may not contain the CA certificate'. I attached the image with the error.

Despite this error, the certificate was assigned to the interface and works as expected. The root certificate is also installed in Trusted Certificates. What could be the reason for this error?

Thanks.

MHM Cisco World · ‎05-08-2024

Try check thr cert. Issuer is same as CA or different?

MHM

LuigiDiFronzo9542 · ‎05-08-2024

The issuer of the certificate is the intermediate entity, and on the other hand the issuer of the intermediate is the root CA.

So the issuer of the Identity is the same as the intermediate certificate installed in trusted Cert.

I attached the images.

Any idea?

Thanks.

MHM Cisco World · ‎05-08-2024

Then you need to add CA abd sub CA

MHM

Rob Ingram · ‎05-08-2024

@LuigiDiFronzo9542 create another trustpoint that contains just the root CA certificate, then enroll this to the FTD. This will push down the root CA certificate to the FTD. You can run "show crypto ca certificates" from the FTD CLI to confirm.

LuigiDiFronzo9542 · ‎05-08-2024

Thank you for your responses,

For the Turstpoint I have this information:

Certificate
Status: Available
Certificate Serial Number: 03e252ac2a69577abfc0507a87f77eb0
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: RSA-SHA256
Issuer Name:
CN=SSL.com RSA SSL subCA
O=SSL Corporation
L=Houston
ST=Texas
C=US
Subject Name:
CN=*.Name
OCSP AIA:
URL: http://ocsps.ssl.com
CRL Distribution Points:
[1] http://crls.ssl.com/SSLcom-SubCA-SSL-RSA-4096-R1.crl
Validity Date:
start date: 16:11:16 UTC Mar 12 2024
end date: 16:11:16 UTC Apr 12 2025
Storage: config
Associated Trustpoints: Name

In this case the Issuer is the intermediate certificate.

Could you explain me the procedure to create another trustpoint with the CA root certificate? The name of this trustpoint must be the same?

Thanks