Managing FTD VPN Certificates

See PKI Infrastructure and Digital Certificates for an introduction to Digital Certificates.

See Certificate Enrollment Objects for a description of the objects used to enroll and obtain certificates on managed devices.

Procedure


Step 1

Select Devices > Certificates.

You can see the following columns for each device listed on this screen:

  • Name—Lists the devices that already have trustpoints associated with them. Expand the device to see the list of associated trustpoints.

  • Domain—Displays the certificates that are enrolled in a specific domain.

  • Enrollment Type—Displays the type of enrollment used for a trustpoint.

  • Status—Provides the status of the CA Certificate and Identity Certificate. You can view the certificate contents, when Available, by clicking the magnifying glass.

    When you view the CA certificate information, you can view the hierarchy of all the certifying authorities, which issued your CA certificate.

    If the enrollment fails, click status to view the failure message.

  • The additional columns provide the status of the CA Certificate and Identity Certificate. In each column, the certificate contents, when Available, can be viewed by clicking the magnifying glass.

    The values of these columns depend on the enrollment type and change during the process of enrollment. The CA Certificate can be Available, Not Available, and Not Applicable. The Identity Certificate status can be Available, Pending, and Available and Pending during a refresh.

  • Refresh (circling arrows) a certificate on a managed device. Refreshing a certificate would synchronize the Firepower Threat Defense device certificate status to the Firepower Management Center.

  • Using re-enroll, enroll the identity certificate.

    During the course of any policy deployment, if the certificate enrollment process fails, enroll the identity certificate again using the re-enroll option.

  • Delete (trash can) a configured certificate.

  • Click Enable weak-crypto on the right to enable weak cipher usage in certificates. When you click the toggle button, you get a warning to confirm before enabling weak ciphers. Click Yes to enable weak ciphers.

    Note

    When a certificate enrollment fails due to weak cipher usage, you get a prompt to enable the weak cipher. You can choose to enable weak cipher when you need to use weak encryption.

  • The additional column lists icons to perform the following tasks:

    • Export Certificate—Click to export and download a copy of the certificate. You can choose to export the PKCS12 (Complete Certificate Chain) or the PEM(Identity Certificate Only) format.

      You must provide a pass phrase to export a PKCS12 certificate format to import the file later.

    • Re-enroll certificate—Re-enroll an existing certificate.

    • Refresh certificate status—Refresh a certificate to synchronize the Firepower Threat Defense device certificate status to the Firepower Management Center.

    • Delete certificate—Delete all the associated certificates for a trustpoint.

Step 2

Choose (+) Add to associate and install an enrollment object on a device.

When a certificate enrollment object is associated with and then installed on a device, the process of certificate enrollment starts immediately. The process is automatic for self-signed and SCEP enrollment types, meaning it does not require any additional administrator action. Manual certificate enrollment requires extra administrator action.

Note

The certificate enrollment on a device does not block the user interface and the enrollment process gets executed in the background, enabling the user to perform certificate enrollment on other devices in parallel. The progress of these parallel operations can be monitored on the same user interface. The respective icons display the certificate enrollment status.

Step 3

Choose (+) Add > Add New Certificate to associate and install an enrollment object on a device. Continue based on the type of enrollment.

Note

When a certificate enrollment object is associated with and then installed on a device, the process of certificate enrollment starts immediately. The process is automatic for self-signed and SCEP enrollment types, meaning it does not require any additional administrator action. Manual certificate enrollment and importing a PKCS12 file requires extra administrator action.