As with most Cisco gear, performing some operations are either poorly documented or highly tedious!
In this quick article we’ll show you how to renew the Remote Access VPN SSL certificate using Cisco’s Firepower Management Center (FMC).
Renew your SSL Certificate for Cisco FMC
- Open up FMC and go to Objects > Object Management > PKI > Cert Enrollment
- Click Add Cert Enrollment
- Give your Enrollment a name – I like to name it with a year so I can track it.
- Click Certificate Parameters, then change Include FQDN: to Custom FQDN
Complete the Parameters as required. - Now head over to Devices > Certificates and click Add
- Select your device and the new certificate your created earlier.
- You will notice a warning: ‘Identity certificate import required’ so click ID and you will be prompted that a Certificate Signing Request (CSR) is going to be generated.
- Copy the CSR, then head over to your favourite SSL Reseller – in this example we are using Synergy Wholesale in Australia.
- When you renew or purchase an SSL certificate, you will be prompted to supply the CSR. Paste in the CSR from above.
- Approve & Validate the SSL request as required then wait for the SSL Certificate.
- Once you receive the SSL Certificate paste its contents into Notepad.
- Head back to FMC, and click Browse Identity Certificate. Supply the Notepad file.
- Nearly there! We now just have to update the Remote Access VPN (RA-VPN) with the new SSL Certificate. From FMC click Devices > VPN > Remote Access
- Edit your Remote Access VPN, then click Access Interfaces
- Update the SSL Identity Certificates then don’t forget to click Save
- Deploy the changes!
Your Remote Access VPN SSL certificate is now renewed. You can verify this by either checking the matched SSL Certificate from the Cisco AnyConnect VPN client (once connected). If you have https enabled, you can also check using your web-browser by just going to the FQDN and clicking on the certificate.
As with all our articles, please feel free to reach out if you need assistance.