Objective: To remove the remote certificate warning error in Firepower Threat Defense (FTD)/Firepower Management Center (FMC).
Solution:
To remove the certificate warning error, you need to:
- Use OpenSSL to generate a private key and Certificate Signing Request (CSR) file.
- The CSR sent to you should be signed.
- The certificate, private key, and root or intermediate root certificates should be imported into PKCS12 file.
- This PKCS12 file should be imported via the FMC and assigned to the remote-access VPN.
How would you implement the above process? Please refer to the steps below:
Depending on the platform—IIS, Exchange, cPanel, OpenSSL, and more, the steps to generate CSR varies. Remember to generate the CSR from the same server you plan to install the certificate on and get it signed by CA. Once you get back the signed file, follow the below steps.
Procedure :
- Open FMC and login to your account. Navigate to Objects >> Object Management >> PKI >> Cert Enrollment . Click Add Cert Enrollment and type in the trustpoint name.
- Under CA Information tab, select Enrollment type as 'Manual'. Under CA Certificate, paste the Certificate Authority certificate .
- Under Certificate Parameters tab, select Include FQDN as 'Custom FQDN'. Ensure the CN and FQDN name are correct.
- Fill the details such as IP address, Common Name, OU, etc., accordingly.
- Under Key tab, choose name and size of the key. Click Save.
- Navigate to Devices >> Certificates >> Add >> New Certificate.
- In Add New Certificate dialog box that opens, select the FTD device.
- Select Cert Enrollment as the name of the trustpoint that was created. Click the green icon next it and select Yes.
- Copy CSR to CA and sign it. The certificate should have attributes as the normal HTTPS server.
- After receiving the certificate, select it and click Import.
Meta-D: Remove the certificate warning by assigning a certificate to the remote access VPN. Steps to import certificate through FMC/FTD.
