Certificates

Requirements and Prerequisites for Certificates

Supported Domains

Any

User Roles

Admin

Network Admin

Secure Firewall Threat Defense VPN Certificate Guidelines and Limitations

  • When a PKI enrollment object is associated with and then installed on a device, the certificate enrollment process starts immediately. The process is automatic for self-signed and SCEP enrollment types; it does not require any additional administrator's action. Manual certificate enrollment requires administrator's action.

  • When the certificate enrollment is complete, a trustpoint exists on the device with the same name as the certificate enrollment object. Use this trustpoint in the configuration of your VPN Authentication Method.

  • threat defense devices support certificate enrollment using Microsoft Certificate Authority(CA) Service, and CA Services provided on Cisco Adaptive Security Appliances(ASA) and Cisco IOS Router.

  • threat defense devices cannot be configured as a certificate authority (CA).

Guidelines for Certificate Management Across Domains and Devices
  • Certificate enrollment can be done in a child or parent domain.

  • When enrollment is done from a parent domain, the certificate enrollment object also needs to be in the same domain. If the trustpoint on a device is overridden in the child domain, the overridden value will be deployed on the device.

  • When the certificate enrollment is done on a device in a leaf domain, the enrollment will be visible to the parent domain or another child domain. Also, adding additional certificates is possible.

  • When a leaf domain is deleted, certificate enrollments on the contained devices will be automatically removed.

  • Once a device has certificates enrolled in one domain, it will be allowed to be enrolled in any other domain. The certificates can be added in the other domain.

  • When you move a device from one domain to another, the certificates also get moved accordingly. You will receive an alert to delete the enrollments on these devices.

Managing Threat Defense Certificates

See PKI Infrastructure and Digital Certificates for an introduction to Digital Certificates.

See Certificate Enrollment Objects for a description of the objects used to enroll and obtain certificates on managed devices.

Procedure


Step 1

Select Devices > Certificates.

You can see the following columns for each device listed on this screen:

  • Name—Lists the devices that already have trustpoints associated with them. Expand the device to see the list of associated trustpoints.

  • Domain—Displays the certificates that are enrolled in a specific domain.

  • Enrollment Type—Displays the type of enrollment used for a trustpoint.

  • Status—Provides the status of the CA Certificate and Identity Certificate. You can view the certificate contents, when Available, by clicking the magnifying glass.

    When you view the CA certificate information, you can view the hierarchy of all the certifying authorities, which issued your CA certificate.

    If the enrollment fails, click status to view the failure message.

  • Click Enable weak-crypto on the right to enable weak cipher usage in certificates. When you click the toggle button, you get a warning to confirm before enabling weak ciphers. Click Yes to enable weak ciphers.

    Note

     

    When a certificate enrollment fails due to weak cipher usage, you get a prompt to enable the weak cipher. You can choose to enable weak cipher when you need to use weak encryption.

  • The additional column lists icons to perform the following tasks:

    • Export Certificate—Click to export and download a copy of the certificate. You can choose to export the PKCS12 (Complete Certificate Chain) or the PEM(Identity Certificate Only) format.

      You must provide a pass phrase to export a PKCS12 certificate format to import the file later.

    • Re-enroll certificate—Re-enroll an existing certificate.

    • Refresh certificate status—Refresh a certificate to synchronize the Firepower Threat Defense device certificate status to the Firepower Management Center.

    • Delete certificate—Delete all the associated certificates for a trustpoint.

Step 2

Choose (+) Add to associate and install an enrollment object on a device.

When a certificate enrollment object is associated with and then installed on a device, the process of certificate enrollment starts immediately. The process is automatic for self-signed and SCEP enrollment types, meaning it does not require any additional administrator action. Manual certificate enrollment requires extra administrator action.

Note

 

The certificate enrollment on a device does not block the user interface and the enrollment process gets executed in the background, enabling the user to perform certificate enrollment on other devices in parallel. The progress of these parallel operations can be monitored on the same user interface. The respective icons display the certificate enrollment status.


Automatically Update CA Bundles

You can set the management center to automatically update the CA certificates through CLI commands. By default, the CA certificates are automatically updated when you install or upgrade to version 7.0.5.


Note


In an IPv6-only deployment, the automatic update of CA certificates may fail, because, some of the Cisco servers do not support IPv6. In such cases, force update the CA certificates using the configure cert-update run-now force command.


Procedure


Step 1

Log into the FMC CLI using SSH, or, if virtual, open the VM console.

Step 2

You can verify whether the CA certificates in the local system are the latest or not:

configure cert-update test

This command compares the CA bundle on the local system with the latest CA bundle (from the Cisco server). If the CA bundle is up to date, no connection check is executed and the test result is displayed as the one below:

Example:


> configure cert-update test
Test succeeded, certs can safely be updated or are already up to date.

If the CA bundle is out of date, the connection check is executed on the downloaded CA bundle and the test result is displayed.

Example:

When the connection check fails:

> configure cert-update test
Test failed, not able to fully connect.

Example:

When the connection check succeeds, or the CA bundle is already up to date:

> configure cert-update test
Test succeeded, certs can safely be updated or are already up to date.

Step 3

(Optional) To instantly update the CA bundles:

configure cert-update run-now

Example:


>configure cert-update run-now 
Certs have been replaced or was already up to date.

When you execute this command, the CA certificates (from the Cisco server) are verified for SSL connectivity. If the SSL connectivity check fails for even one of the Cisco servers, the process is terminated.

Example:


> configure cert-update run-now
Certs failed some connection checks.

To proceed with the update despite connection failures, use the force keyword.

Example:


> configure cert-update run-now force 
Certs failed some connection checks, but replace has been forced.

Step 4

If you do not want the CA bundles to be automatically updated, disable the configuration:

configure cert-update auto-update disable

Example:


> configure cert-update auto-update disable
Autoupdate is disabled

Step 5

To re-enable the automatic update of CA bundles:

configure cert-update auto-update enable

Example:


> configure cert-update auto-update enable
Autoupdate is enabled and set for every day at 12:18 UTC

When you enable the automatic update on the CA certificates, the update process is executed daily at a system-defined time.

Step 6

(Optional) View the status of automatic update of CA certificates:

show cert-update

Example:


> show cert-update
Autoupdate is enabled and set for every day at 09:34 UTC
CA bundle was last modified 'Thu Sep 15 16:12:35 2022'

Installing a Certificate Using Self-Signed Enrollment

Procedure


Step 1

On the Devices > Certificates screen, choose Add to open the Add New Certificate dialog.

Step 2

Choose a device from the Device drop-down list.

Step 3

Associate a certificate enrollment object with this device in one of the following ways:

  • Choose a Certificate Enrollment Object of the type Self-Signed from the drop-down list.
  • Click (+), to add a new Certificate Enrollment Object, see Adding Certificate Enrollment Objects.

Step 4

Press Add to start the Self Signed, automatic, enrollment process.

For self signed enrollment type trustpoints, the CA Certificate status will always be displayed, since the managed device is acting as its own CA and does not need a CA certificate to generate its own Identity Certificate.

The Identity Certificate will go from InProgress to Available as the device creates its own self signed identity certificate.

Step 5

Click the magnifying glass to view the self-signed Identity Certificate created for this device.


What to do next

When enrollment is complete, a trustpoint exists on the device with the same name as the certificate enrollment object. Use this trustpoint in the configuration of your Site to Site and Remote Access VPN Authentication Method

Installing a Certificate using EST Enrollment

Before you begin


Note


Using EST enrollment establishes a direct connection between the managed device and the CA server. So be sure your device is connected to the CA server before beginning the enrollment process.



Note


EST's ability to auto-enroll a device when its certificate expires is not supported.


Procedure


Step 1

On the Devices > Certificates screen, click Add to open the Add New Certificate dialog.

Step 2

Choose a device from the Device drop-down list.

Step 3

Associate a certificate enrollment object with this device in one of the following ways:

  • Choose the EST certificate enrollment object from the Cert Enrollment drop-down list.
  • Click (+), to add a new Certificate Enrollment Object, see Adding Certificate Enrollment Objects.

Step 4

Click Add to enroll the certificate on the device.

The Identity Certificate will go from InProgress to Available as the device obtains its identity certificate using EST from the specified CA. Sometimes, a manual refresh might be required to obtain the identity certificate.

Step 5

Click the magnifying glass to view the Identity Certificate created and installed on this device.


Installing a Certificate Using SCEP Enrollment

Before you begin


Note


Using SCEP enrollment establishes a direct connection between the managed device and the CA server. So be sure your device is connected to the CA server before beginning the enrollment process.


Procedure


Step 1

On the Devices > Certificates screen, choose Add to open the Add New Certificate dialog.

Step 2

Choose a device from the Device drop-down list.

Step 3

Associate a certificate enrollment object with this device in one of the following ways:

Step 4

Press Add, to start the automatic enrollment process.

For SCEP enrollment type trustpoints, the CA Certificate status will transition from InProgress to Available as the CA Certificate is obtained from the CA server and installed on the device.

The Identity Certificate will go from InProgress to Available as the device obtains its identity certificate using SCEP from the specified CA. Sometimes, a manual refresh might be required to obtain the identity certificate.

Step 5

Click the magnifying glass to view the Identity Certificate created and installed on this device.


What to do next

When enrollment is complete, a trustpoint exists on the device with the same name as the certificate enrollment object. Use this trustpoint in the configuration of your Site to Site and Remote Access VPN Authentication Method

Installing a Certificate Using Manual Enrollment

Procedure


Step 1

On the Devices > Certificates screen, choose Add to open the Add New Certificate dialog.

Step 2

Choose a device from the Device drop-down list.

Step 3

Associate a certificate enrollment object with this device in one of the following ways:

Step 4

Press Add to start the enrollment process.

Step 5

Execute the appropriate activity with your PKI CA Server to obtain an identity certificate.

  1. Click Identity Certificate warning to view and copy the CSR.

  2. Execute the appropriate activity with your PKI CA Server to obtain an identity certificate using this CSR.

    This activity is completely independent of the Secure Firewall Management Center or the managed device. When complete, you will have an Identity Certificate for the managed device. You can place it in a file.

  3. To finish the manual process, install the obtained identity certificate onto the managed device.

    Return to the Secure Firewall Management Center dialog and select Browse Identity Certificate to choose the identity certificate file.

    Note

     

    Ensure not to choose a binary certificate (PKCS12, DER, and alike) file because threat defense does not support them.

Step 6

Select Import to import the Identity Certificate.

The Identity Certificate status will be Available when the import complete.

Step 7

Click the magnifying glass to view the Identity Certificate for this device.


What to do next

When enrollment is complete, a trustpoint exists on the device with the same name as the certificate enrollment object. Use this trustpoint in the configuration of your Site to Site and Remote Access VPN Authentication Method

Installing a Certificate Using a PKCS12 File

Procedure


Step 1

Go to Devices > Certificates screen, choose Add to open the Add New Certificate dialog.

Step 2

Choose a pre-configured managed device from the Device drop down list.

Step 3

Associate a certificate enrollment object with this device in one of the following ways:

Step 4

Press Add.

The CA Certificate and Identity Certificate status will go from In Progress to Available as it installs the PKCS12 file on the device.

Note

 
When you upload the PKCS12 file for the first time, the file is stored in management center as part of the CertEnrollment object. For any failed enrollments due to a wrong passphrase or failed deployment, retry enrolling the PKCS12 certificate without uploading the file again. A PKCS12 file size should not be larger than 24K.

Step 5

Once Available, click the magnifying glass to view the Identity Certificate for this device.


What to do next

The certificate (trustpoint) on the managed device is named the same as the PKCS#12 file. Use this certificate in your VPN authentication configuration.

Troubleshooting Threat Defense Certificates

See Secure Firewall Threat Defense VPN Certificate Guidelines and Limitations to determine if variations in your certificate enrollment environment may be causing a problem. Then consider the following:

  • Ensure there is a route to the CA Server from the device.

    If the CA Server's host name is given in the Enrollment Object, use Flex Config to configure DNS appropriately to reach the server. Alternatively, use the IP Address of the CA Server.

  • If you are using a Microsoft 2012 CA Server, the default IPsec Template is not accepted by the managed device and must be changed.

    To configure a working template, follow these steps as you use MS CA documentation as a reference.

    1. Duplicate the IPsec (Offline Request) template.

    2. In Extensions > Application policies, select IP security end system, instead of the IP security IKE intermediate.

    3. Set the permissions and the template name.

    4. Add the new template and change the registry settings to reflect the new template name.

  • On the management center, you might receive the following health alert related to the threat defense device:

    Code - F0853; Description - default Keyring's certificate is invalid, reason: expired

    In such cases, use the following command to regenerate the default certificate in CLISH CLI:

    > system support regenerate-security-keyring default
  • A red cross appears in the CA certificate status with the following error:

    Fail to configure CA certificate

    Solution: See Troubleshoot Certificate Error on FMC.

  • To check the list of the certificates in a .pfx file, use tools such as certutil or openssl. You can see the whole chain with ID certificate, SubCA certificate, and CA certificate (if any).

    • certutil -dump cert.pfx

    • openssl pkcs12 -info -in cert.pfx

  • The following error appears:

    Identity certificate import required

    Solution: See Troubleshoot Certificate Error "Identity certificate import required" on FMC.

History for Certificates

Feature

Minimum Management Center

Minimum Threat Defense

Details

Support for OCSP and CRL IPv6 URL

7.4

Any

You can now add IPv6 OCSP and CRL URLs for certificate authentication (revocation checking). The IPv6 addresses must be enclosed in square brackets.

Enhancements to Manual Enrollment

6.7

Any

You can now create only a CA certificate without an identity certificate. You can also generate a CSR without a CA certificate and obtain an identity certificate from the CA.

PKCS CA Chain

6.7

Any

You can view and manage the chain of certifying authorities (CAs) issuing your certificates. You can also export a copy of the certificates.