Download Cisco Certificate Pdf

[Abigael Ortyl]

Ijust inherited Stealthwatch 6.10.5 all on VM which includes one of each of the following: smc, flow, udp. I now need to renew/update the existing certificates that were installed. I have renewed the existing certificates and have all three in a .pfx format. I will export the private key and convert the .pfx to a .pem.

I've pretty much followed the steps in the link below, but after importing the 3rd party signed SSL cert, the CA cert was not available. (Under the CA Information tab, selected enrollment type "Manual" and left the CA certificate filed empty)

I then found a thread on Cisco Community to use an app called XCA, import all cert chain then export it to PKSC#12 (.p12) format. However, since we don't have the private key, exporting in p12 is not an option. And exporting private key form FMC is not available either.

@atsukane it's straight forward using the manual enrollment method, you don't need to use OpenSSL on 7.2 version. I just add the CA certificate when generating the CSR, then once the identity certificate is signed import the certificate. You can add the CA certificate once the identity certificate is imported, you just need to enrol the trustpoint on the FTD.

After further investigation and comparing the working CA in PKCS#12 format and the new non-working one, it turns out the working one is using the intermediate CA, whereas the new non-working one that is failing to import ID cert is using the ROOT CA.

I'm setting up ISE to use EAP-TLS using a trusted root certificate and I have the certificate chain uploaded to ISE but I'm just wondering how you actually say to ISE, I want you to use this certificate that is coming from the computer/end user machine?

@alliasneo1 its the "EAP Authentication" certificate within ISE that is used for client (user/machine) authentication. When you specify the usage you can use the same certificate for different roles or unique certificates.

Not from here, the one you shared is to tell ISE to present that cert when it negotiates EAP authentication with the endpoints. However, if you look at the certificates trusted store in ISE, and you select the root or intermediate CA certificate which would be the issuer of the endpoints certificates, you would see that there is an option selected which is called "Trust for client authentication and Syslog". That is where you tell ISE to trust the endpoints certificates that would be issued by that root or intermediate CA, and to use that cert for EAP authentication. Please note that the cert you define on ISE to be used for EAP authentication (an example in the screenshot you shared) doesn't necessarily need to be issued by the same issuer as the endpoints certificates. However, it is a common and best practice to have that cert alongside the endpoints certs issued by the same PKI.

I have gone into the Trusted Certificates Store and I can see the Root Cert and that is indeed ticked for 'Trust for Client Authentication and Syslog' so this is the one that the clients are using to authenticate against?

A little confused though as I thought the one I shared above which negotiates EAP authentication with the end points is what the clients used? Are you saying there is one vertificate for EAP authentication and then another using the root cerificate?

The one you shared is the one that ISE will present to the clients, the clients need to trust that cert, they trust it by having the issuer or the root CA certificate imported into them. That is one part, the second part is that ISE also needs to trust the certificates that will be presented by the clients. ISE does that by looking at the issuer or the root CA certificate of the clients certificates that has been imported into its trusted certificates container, that certificate must have the "Trust for client authentication" option is ticked so ISE can use it to trust the clients when they do EAP authentication.

For instance, say you have two PKIs in your environment, one issued the certificates for the clients, and another issued the identity certificate for ISE. In this case, ISE needs to have the root CA certificate imported into its trusted certificate store and have "Trust for client authentication" ticked to trust the certificates that will be presented by the clients when they try to establish the secure channel during the EAP authentication.

However, also the clients need to trust the certificate that ISE will be presenting, which is the one you chose to be associated to EAP usage in ISE as the one your shared in the screenshot. In the end, ISE uses that certificate to present its identity, and the clients use their certificates to present their identity.

We have recently bought a Cisco FirePOWER 1010 and I would like to configure certificate based authentication for the RA VPN on the device (I have all the licences required for this and can authenticate using the built in local DB - I would like to set up AAA & Certificate authentication). We have an internal CA set up using EasyRSA, so we have a CA certificate and can use it to sign other certificates. I will be using FDM to manage the device.

Looking at the documentation, I found it very confusing and wasn't sure the process required to set this up. I was going to try to install the CA certificate as a Trusted CA Certificate within FDM. Is this correct? Following this, how do I use a certificate signed by that to authenticate through AnyConnect?

Thank you for providing the above URLs, however, I had configured the system as discussed in the second URL. I have imported our CA certificate as a "Trusted CA Certificate" and imported a certificate signed by that into my user personal certificate store. When I connect to the Anyconnect VPN using the client and select the connection profile, an error message stating "Certificate Validation Failure" is presented. In the log for the client I can see the message "No valid certificates available for authentication." despite having the signed certificate in both User and Computer "Personal" stores.

Do you know if the CA certificate or the signed certificate need specific properties? Any ideas on how I can configure this? Sorry if the answer is very obvious, as stated above I am very new to Cisco kit!

I have installed the CA certificate as a Trusted CA Certificate through the FDM interface. I have installed the client certificate on the laptop I am testing this from in the user's "Personal" certificate store. Also, I have installed the CA certificate as a Trusted Root CA on the laptop. On the connection profile in FDM, I have client certificate authentication configured with the username mapping configured to CN and E. I have also configured the external domain certificate in the "Certificate of Device Identity" so that users do not receive a certificate warning on accessing the web service. Should this be configured as something different?

4. Do you have the internal CA signed Identity Ceritificate for the FTD, like you did for CLient as that is the ceritifcate presented by FTD and client for handshake and authentication, I am assuming you are missing that cert, You need to enroll your FTD to your internal CA and import the cert and select it under RAVPN

I found my issue in the end! When setting up the Trusted CA Certificate I had not selected anything in the "Validation Usage for Special Services" option. Had to set this to "SSL Client" as that is the option to use the CA certificate to validate incoming RA VPN client certificates!!!! So much stress for such a simple thing!

Example:-

Admin Portal: Better to use the Self signed certificate or Public Certificate?

EAP: Self Signed or Public Certificate?

BYOD: Public Certificate

RADIUS: Self-signed Certificate or Public Certificate?

Onboarding device includes all platforms , Please help me select the best cisco recommended public-private cert for each role... I heard that using public cert on EAP & RADIUS role will fail Onboarding.

I would say though that when accessing ISE Admin web interfaces (or any https portal) it's pretty sane to get a public CA to sign that cert, only because you will have various people (admins) who will be accessing the ISE GUI with all sorts of browsers - some, like Firefox, don't use the underlying OS's cert store. So you'll get warnings if you sign the ISE Admin cert with your company's PKI ... no errors in Chrome/iE/Edge - but Firefox will claim that the site in untrustworthy. Therefore - if you can spare the few $$$ then buy a cert from a reputable CA. Problem is, you sometimes need to find the person in the organisation who can apply for these things, etc. - and there is some money involved.

3a8082e126