Hello, Everyone.
We intend to enable Anyconnect VPN on our CISCO Firepower Threat Defense with Digital Certificate from Let’s Encrypt.
I would like to know if anyone has a step-by-step guide to generate and, more important, renew automatically Let’s Encrypt Digital Certificates for CISCO FTD (Cisco Firepower 2130 Threat Defense v6.3) once those ones have relatively short lifetimes.
Thanks in advance.
I’m trying to wrap my head around this…
Well, first of all, welcome to the LE community forum.
I don’t understand the “security model” (maybe because I don’t use Cisco products).
How does one validate a VPN connection, when the endpoint certificate is NOT issued by a trusted local CA and will continue to change every few months…?
I can only presume (as it is the only “constant”) that it is purely FQDN based.
But that scares me a bit and I would have to understand the “security model” to … “sleep at night”.
Anyway, your request is very very very specific and I think you might want to also open a similar topic in a Cisco VPN forum. Maybe someone has done it before (even if generically with any other CA) and you can use their instructions with LE.
Hi, Mr. Rudy Gomez.
The truth of matter is that CISCO wants to sell you their products and I believe they have a specific solution for this requirement. I was trying to find out some alternative free solution on this purpose.
Anyway, I appreciate your concern and I’ll try to post the question on Cisco VPN Forum although I think the answer from the community will be something looking like a CISCO solution for automatically renew certificates.
Thanks for replying.
@fraga, I appreciate the formality, but it is quite unnecessary in this “community” forum.
If you find anything that shows “how” CISCO does it, maybe we can alter that procedure to use LE certs.
Of course this is likely a “first-time” look, and attempt at it, so don’t expect too much at the onset and bear with us - there are plenty here willing to take on such a “challenge” [myself included 
].
Typically Let’s Encrypt won’t result in a very good experience unless you can get some kind of official software integration between the device that needs the certificate and Let’s Encrypt (or at least an API that a Let’s Encrypt client can use). If Cisco doesn’t have that for these devices and doesn’t want to provide it, it’s probably not going to work out well.
I hope you can let us know what Cisco and the user community have to say about this—if there are relevant APIs that the device offers for remote management, we might be able to figure something out even if the device itself doesn’t run an ACME client to get certificates directly from Let’s Encrypt.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.