Solved: Re: VPN cert renewal - remote site update

zachary.quinn · ‎03-03-2022

Hi everyone,

We have a Cisco ASA with a site-to-site VPN with a Firepower appliance on the remote site. The certificate used is due to expire soon. I can find plenty of guides regarding obtaining the new certificate but nothing to say how the remote site gets updated. Does it automatically get the new cert when the config on the core ASA gets updated?

TIA

Rob Ingram · ‎03-03-2022

@zachary.quinn If you renew the certificate on the ASA, it would not renew the certificate on the FTD on the remote site. You'd have to renew that separately, assuming it also needs replacing?

View solution in original post

Rob Ingram · ‎03-03-2022

@zachary.quinn If you renew the certificate on the ASA, it would not renew the certificate on the FTD on the remote site. You'd have to renew that separately, assuming it also needs replacing?

zachary.quinn · ‎03-03-2022

Rob, That’s a great question. I assumed it would be the same cert. Will look into that. I did not set this up and surprise surprise, have no documentation to refer to.

Rob Ingram · ‎03-03-2022

@zachary.quinn if you login to the CLI of both devices, run "show crypto ca certificates" - note the subject name and validy end dates of each certificate.

zachary.quinn · ‎03-03-2022

OK so it looks like there is no certificate on the remote site so must just be using pre-shared keys. Just found the ike v2 settings section in asdm which confirms using preshared key not cert so looks like I can scratch this off the to do list and focus on updating the AnyConnect cert for remote access!

Many thanks for steering me in the right direction

Regards,

Zac