Renew Cisco Firepower Remote Access VPN SSL Certificate

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook
IT Networks How-To Logo

As with most Cisco gear, performing some operations are either poorly documented or highly tedious!

In this quick article we’ll show you how to renew the Remote Access VPN SSL certificate using Cisco’s Firepower Management Center (FMC).

Renew your SSL Certificate for Cisco FMC

  1. Open up FMC and go to Objects > Object Management > PKI > Cert EnrollmentRenew Firepower Remote Access SSL Certificate
  2. Click Add Cert Enrollment
  3. Give your Enrollment a name – I like to name it with a year so I can track it.
  4. Click Certificate Parameters, then change Include FQDN: to Custom FQDN
    Complete the Parameters as required.custom FQDN SSL certificate
  5. Now head over to Devices > Certificates and click Add
  6. Select your device and the new certificate your created earlier.Add Certificate
  7. You will notice a warning: ‘Identity certificate import required’ so click ID and you will be prompted that a Certificate Signing Request (CSR) is going to be generated.create CSR request
  8. Copy the CSR, then head over to your favourite SSL Reseller – in this example we are using Synergy Wholesale in Australia.
  9. When you renew or purchase an SSL certificate, you will be prompted to supply the CSR. Paste in the CSR from above.paste in the CSR
  10. Approve & Validate the SSL request as required then wait for the SSL Certificate.
  11. Once you receive the SSL Certificate paste its contents into Notepad.
  12. Head back to FMC, and click Browse Identity Certificate.  Supply the Notepad file.paste SSL certificate into request
  13. Nearly there! We now just have to update the Remote Access VPN (RA-VPN) with the new SSL Certificate. From FMC click Devices > VPN > Remote Accessedit remote access vpn
  14. Edit your Remote Access VPN, then click Access Interfaces
  15. Update the SSL Identity Certificates then don’t forget to click Saveupdate the SSL certificate
  16. Deploy the changes!deploy changes to FMC

Your Remote Access VPN SSL certificate is now renewed. You can verify this by either checking the matched SSL Certificate from the Cisco AnyConnect VPN client (once connected). If you have https enabled, you can also check using your web-browser by just going to the FQDN and clicking on the certificate.

As with all our articles, please feel free to reach out if you need assistance.