03-03-2022 08:50 AM
Hi everyone,
We have a Cisco ASA with a site-to-site VPN with a Firepower appliance on the remote site. The certificate used is due to expire soon. I can find plenty of guides regarding obtaining the new certificate but nothing to say how the remote site gets updated. Does it automatically get the new cert when the config on the core ASA gets updated?
TIA
Solved! Go to Solution.
03-03-2022 08:54 AM
@zachary.quinn If you renew the certificate on the ASA, it would not renew the certificate on the FTD on the remote site. You'd have to renew that separately, assuming it also needs replacing?
03-03-2022 08:54 AM
@zachary.quinn If you renew the certificate on the ASA, it would not renew the certificate on the FTD on the remote site. You'd have to renew that separately, assuming it also needs replacing?
03-03-2022 08:57 AM
Rob, That’s a great question. I assumed it would be the same cert. Will look into that. I did not set this up and surprise surprise, have no documentation to refer to.
03-03-2022 09:00 AM
@zachary.quinn if you login to the CLI of both devices, run "show crypto ca certificates" - note the subject name and validy end dates of each certificate.
03-03-2022 09:31 AM
OK so it looks like there is no certificate on the remote site so must just be using pre-shared keys. Just found the ike v2 settings section in asdm which confirms using preshared key not cert so looks like I can scratch this off the to do list and focus on updating the AnyConnect cert for remote access!
Many thanks for steering me in the right direction
Regards,
Zac
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide