Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
4
Replies

Moving SSL from ASA 8.x to Firepower Management Center for Anyconnect

Go to solution
ExecutechSupport12215
Level 1
Level 1

‎05-20-2020 09:29 AM

Hello!

 

I'm having issues moving the VPN SSL certificate from ASA 8.x to a Firepower Management Center controlled firewall.  I can export the certificate in PKCS12 format and import that into FMC without any issues, but it only verifies the identity certificate and not the CA. It's a wildcard cert, so I don't think I can submit the CSR again without having to rekey everything, and I don't have easy access to the original files. All the instructions I've found include a CSR in the process and I'm stuck. How can I get the CA cert on the FMC? Any help would be appreciated.

 

Thanks!

Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ExecutechSupport12215
Level 1
Level 1
In response to ExecutechSupport12215

‎05-21-2020 09:37 AM

Nevermind. I'm not sure if your method would have worked. I couldn't figure out how to do that. Instead, I finally figured out how to use openssl to combine the certificates into a single cert. Thanks again for the reply.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-21-2020 05:28 AM

If you browse to the current ASA VPN portal, you can view and save as a file to certificates in the current chain (root C And issuing CA). Then simply add those in FMC as objects.

0 Helpful

Go to solution
ExecutechSupport12215
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2020 08:41 AM

Hey Marvin!

 

Thanks for the reply. That sounds extremely simple, so please excuse my lack of understanding with the CA process. I see how to export the certificates from the browser, but it has different formats, and there are multiple sections in the FMC for certificates. Can you be a bit more specific on what cert format goes where? I seem to be able to go add a Manual object in the Cert Enrollment section for the root and intermediate certs, and I can add them to the devices, but they then only verify the CA and not the identity. It has me generate a CSR, but it won't accept the PKCS12 file I have as a response. Do I need to import them into the "Trusted CAs"? Sorry, I'm a bit confused on this part.

0 Helpful

Go to solution
ExecutechSupport12215
Level 1
Level 1
In response to ExecutechSupport12215

‎05-21-2020 09:37 AM

Nevermind. I'm not sure if your method would have worked. I couldn't figure out how to do that. Instead, I finally figured out how to use openssl to combine the certificates into a single cert. Thanks again for the reply.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ExecutechSupport12215

‎05-21-2020 09:42 AM

For the root and issuing CA you can add them under Objects > Object Management >PKI > Trusted CAs.

If you want to bind it all together in a chain you have to have the private key used to request the initial certificate. In a text editor chain the CA > issuing CA > certificate. Then use something like XCA or openssl to combine those into a pfx file and import it into FMC.

0 Helpful
Customers Also Viewed These Support Documents