Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2132
Views
6
Helpful
16
Replies

Renew Certificate on FTD Managed by FMC

Go to solution
mumbles202
Level 5
Level 5

‎02-28-2024 07:06 PM

I have a certificate that is expiring next week.  I following this article:

Install and Renew Certificates on FTD Managed by FMC - Cisco

for a Manual renewal.  I got the CSR and the new certificate, but before I was able to import it into the FMC GUI it timed.  Now when I go into the FMC GUI and go to Device --> Certificates I see the error "old certificate available, re-enroll is in progress. manual refresh required".  It appears to be a clickable link, but nothing happens when I click it.  I can try to regenerate another CSR and start the process all over again, but wondering if there is a way to get this corrected w/o doing that.  I don't see an option like I'd see in an ASA to get the certificate imported to match the CSR. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mumbles202

‎03-04-2024 10:00 AM

I use openssl to chain the certificates as shown below.

You generally only need the issuing CA certificate to be chained. If you then add the "full_chain.p12" file (or whatever name you want to call it) as a manual enrollment certificate on the target device, it should give you both CA and ID icon indicators as OK in FMC.

 

.\openssl.exe pkcs12 -export -in <issued certificate>.crt -inkey <key for issued certificate>.pem -certfile <issuing CA certificate>.cer -out full_chain.p12 -nodes

 

View solution in original post

16 Replies 16

Go to solution
Rob Ingram
VIP
VIP

‎02-29-2024 12:24 AM

@mumbles202 I'd try again and if the certificate renewal process continues to cause a problems (possibly a bug in your version?), I'd create a new manual enrollment. Assuming that completes ok and you import the signed certificate, you would need to change the configuration to reference this new trustpoint.

0 Helpful

Go to solution
vineshchauhan
Level 1
Level 1

‎02-29-2024 06:12 AM

I seem to have the same issue.

FTD 7.0.5

In a loop and does to accept new cert. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to vineshchauhan

‎02-29-2024 07:08 AM

I concur with @Rob Ingram's recommendation - I always use manual enrollments and it works perfectly.

0 Helpful

Go to solution
vineshchauhan
Level 1
Level 1

‎02-29-2024 07:25 AM

Hi Marvin, 

I've renewed our cert last year by a Manual request, create a CSR & send over to the supplier for approval. Then install the completed the request on the appliance. This was when it was running version 6.6.5.2. 

Same process this time round, but it does not want to play on version 7.0.5.

Our other pair of FTD's running version 7.2.5 has no issues renewing via manual process. 

 

0 Helpful

Go to solution
mumbles202
Level 5
Level 5

‎02-29-2024 10:57 AM - edited ‎02-29-2024 11:21 AM

Manual enrollments have worked in the past.  If you follow the steps in that same article for manual enrollment, what happens if you get a CSR from Step 9 but there is a delay before you can get the actual certificate from the reseller for step 10?    I just tried that as well, and in waiting for the certificate to be sent back to me it timed out.  When I go back into the FMC I have a message to "Click here to import identity certificate" but if I click on that I get the warning about a new CSR being created.  This is FMC 7.2.5.1 if that makes a difference. 

I can create a PKCS12 using OpenSSL if that's easier, just trying to see what it is I'm doing incorrectly here.

0 Helpful

Go to solution
vineshchauhan
Level 1
Level 1

‎03-01-2024 02:17 AM

I’ve managed to resolve my enrolment issue and I hope this solution helps……

Old/Current ID certificate issued by Digicert and this is associated with one of their older CA.

New issued certificate is signed by one of Digicerts newer CA.

 

Initially created a CSR with current/older CA and tried to import this. But the appliance failed to accept with "old certificate available, re-enrol is in progress. manual refresh required".

 

To get around this issue:

Added New CA, created a new key pair & added custom certificate parameters, etc.

Because this is a new CA/key-pair a new CSR is created. Asked our supplier to complete this new request and the appliance accepted this

 

For info, after you create a CSR and then go back to import the completed request. The CSR information does not change. Related to step 10 on the guide.

0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to vineshchauhan

‎03-01-2024 09:10 AM

Thanks for this.  I have imported the new CA certificate into the FMC and created a new CSR.  I was able to click on the message and confirmed when it "regenerated" the new CSR it matched the 1 I sent to the reseller.  Imported the certificate and it does show as successful now, but I still have an X over the CA for that certificate so I don't believe it's chained properly on the unit.  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mumbles202

‎03-01-2024 09:24 AM

Not all providers will  send back a chained signed certificate. When they don't, it is incumbent on the FMC administrator to chain the issued certificate with the issuing/intermediate/root CA as applicable. It's not strictly required to have the CA certificate chain present in the device certificate but some security scans will flag it if it's not present.

Go to solution
vineshchauhan
Level 1
Level 1
In response to Marvin Rhoads

‎03-01-2024 09:33 AM

Security scans Indeed it's picked up on ours and keeps us busy. 

0 Helpful

Go to solution
vineshchauhan
Level 1
Level 1
In response to mumbles202

‎03-01-2024 09:31 AM

Nearly there, worth checking objects management > pki > external ca to make sure the new ca certificate is listed there?

Go to solution
mumbles202
Level 5
Level 5
In response to vineshchauhan

‎03-04-2024 05:51 AM

Yes, the new CA certificate is listed in External CAs.  I don't recall if I added it before or after creating the CSR, but it is listed.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mumbles202

‎03-04-2024 06:26 AM

Chaining the issued certificate is mandatory to make it appear thus on the unit when viewed externally. It doesn't matter whether or not the separate objects are in FMC.

Go to solution
mumbles202
Level 5
Level 5
In response to Marvin Rhoads

‎03-04-2024 08:16 AM - edited ‎03-04-2024 08:38 AM

This is a GoDaddy Cert, so I've tried chaining the server certificate along w/ the bundle that was sent with no success.  I also just tried chaining it w/ gd_bundle.crt and gd_intermediate.crt but those failed as well.  I was going to try to generate a CSR w/ OpenSSL and import that but thinking this has more to do w/ the chain at this point and that might not work either. 

Just tried chaining the 2 files again (opened the mycert.crt file in notepad++, copied to a new file, then opened the bundle file and copied that to the end of the same file w/ the crt information, saved that as a .pem).  Added that into the FMC and it shows the identity cert, but still has a red X over CA.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mumbles202

‎03-04-2024 10:00 AM

I use openssl to chain the certificates as shown below.

You generally only need the issuing CA certificate to be chained. If you then add the "full_chain.p12" file (or whatever name you want to call it) as a manual enrollment certificate on the target device, it should give you both CA and ID icon indicators as OK in FMC.

 

.\openssl.exe pkcs12 -export -in <issued certificate>.crt -inkey <key for issued certificate>.pem -certfile <issuing CA certificate>.cer -out full_chain.p12 -nodes

 

Customers Also Viewed These Support Documents