Import certificate for Firepower Remote Access VPN

This guide uses a DigiCert certificate, but any certificate bundle would work.

The easiest way to do this is using a PKCS12 file. The certificate CSR, key, and PFX file are generated in Linux. Save settings as needed.

First we need to create a CSR to use with Digicert to issue our certificate in Linux. The following command will generate two files, domain.key and domain.csr. Use the contents of domain.csr to generate the certificate in Digicert.

openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Download the certificate file from Digicert using the “A single .pem file containing all certs”. Use the following command to generate a PKCS12 bundle. domain.pem is the certificate file you downloaded from Digicert. domain.pfx is the file you will import to the Firepower FMC. domain.key is generated using the first command.

openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.pem

Navigate to Objects → PKI → Cert Enrollment → Add Cert Enrollment

Choose PKCS12 file in the Enrollment Type dropdown. Select domain.pfx and click Save.

Navigate to Devices → Certificates → Add

Select your target device and enrollment that you created in the previous steps and click Add.

Navigate to Devices → VPN → Remote Access and edit your target device.

Click on the Access Interfaces tab.

In SSL Global Identity Certificate and IKEv2 Identity Certificate, select the Enrollment Cert you created in the previous steps.

Save and deploy.