AnyConnect (FTD), PKCS12, and OpenSSL
The time has arrived: you've been tasked to install an SSL certificate for your AnyConnect configuration running on an FMC-managed FTD. You have a pre-issued certificate - an existing wildcard, perhaps - in PKCS12 format. You also have the issuer CA chain so you can import it for trust so the wildcard ID cert will be accepted.
You go to Objects > PKI > Trusted CAs, import the issuer CA chain, then upload your PKCS12 in Device > Certificates and poof, everything is perfect right?
WRONG! You get an error: Failed to configure CA certificate.
Why? The CA Chain is trusted! The ID cert is valid! What is happening?
Though the CA chain was imported, this has nothing to do with your Identity Certificate configuration! The FMC/FTD PKI Trusted CA store is leveraged in SSL Decryption, ISE/ISE-PIC integration, and Realm configuration - this is not what we need for our use-case. You will note that, when you get this error, you cannot click the “CA” button to add your CA chain, either. So you somehow need to associate the CA chain with the PKCS12/pfx file in one fell swoop – but how?
Enter OpenSSL! – https://www.openssl.org/
OpenSSL is an incredibly useful (and freely available) tool for manipulating certificates and other cryptography elements across a wide variety of situations.
For this use-case, using OpenSSL, you can:
- Extract the private key from the identity certificate bundle into a key file
- Extract the identity certificate from the bundle into a crt file
- Combine the new separate crt and key files with the CA chain certificate into a new pfx file
The syntax would be as follows:
1. Extract the private key from your wildcard/identity pfx:
openssl pkcs12 -in <id_cert.pfx> -nocerts -out privateKey.key enter import passphrase create key passphrase
2. Extract the identity certificate from the wildcard/identity pfx:
openssl pkcs12 -in <id_cert.pfx> -nokeys -out id_cert.crt enter import passphrase
3. Combine the id_cert.crt, privateKey.key, and issuer_CA_chain.crt files into one new PKCS12/PFX file:
openssl pkcs12 -export -out newID_CERT.pfx -inkey privateKey.key -in id_cert.crt -certfile issuer_CA_chain.crt -name <subject:commonName> -passout pass:newPassphrase enter key passphrase created in step 1
With this, you now have a shiny new file which contains the issuer CA chain, ID cert, and ID cert private key all in one PKCS12 bundle, which should upload to the FTD without complaining and be accepted and ready for use.
Lead Network Engineer at SSM
2 年Hands down the best explanation I have found for updating or adding a new certificate to the FMC for an FTD. This quickly resolved the failed certificate issue for our corporate environment.