05-20-2020 09:29 AM
Hello!
I'm having issues moving the VPN SSL certificate from ASA 8.x to a Firepower Management Center controlled firewall. I can export the certificate in PKCS12 format and import that into FMC without any issues, but it only verifies the identity certificate and not the CA. It's a wildcard cert, so I don't think I can submit the CSR again without having to rekey everything, and I don't have easy access to the original files. All the instructions I've found include a CSR in the process and I'm stuck. How can I get the CA cert on the FMC? Any help would be appreciated.
Thanks!
Andy
Solved! Go to Solution.
05-21-2020 09:37 AM
Nevermind. I'm not sure if your method would have worked. I couldn't figure out how to do that. Instead, I finally figured out how to use openssl to combine the certificates into a single cert. Thanks again for the reply.
05-21-2020 05:28 AM
If you browse to the current ASA VPN portal, you can view and save as a file to certificates in the current chain (root C And issuing CA). Then simply add those in FMC as objects.
05-21-2020 08:41 AM
Hey Marvin!
Thanks for the reply. That sounds extremely simple, so please excuse my lack of understanding with the CA process. I see how to export the certificates from the browser, but it has different formats, and there are multiple sections in the FMC for certificates. Can you be a bit more specific on what cert format goes where? I seem to be able to go add a Manual object in the Cert Enrollment section for the root and intermediate certs, and I can add them to the devices, but they then only verify the CA and not the identity. It has me generate a CSR, but it won't accept the PKCS12 file I have as a response. Do I need to import them into the "Trusted CAs"? Sorry, I'm a bit confused on this part.
05-21-2020 09:37 AM
Nevermind. I'm not sure if your method would have worked. I couldn't figure out how to do that. Instead, I finally figured out how to use openssl to combine the certificates into a single cert. Thanks again for the reply.
05-21-2020 09:42 AM
For the root and issuing CA you can add them under Objects > Object Management >PKI > Trusted CAs.
If you want to bind it all together in a chain you have to have the private key used to request the initial certificate. In a text editor chain the CA > issuing CA > certificate. Then use something like XCA or openssl to combine those into a pfx file and import it into FMC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide