Skip to main content



Cisco Defense Orchestrator

Replacing the Certificate on the ASA FirePOWER module 6.2.2 and Firepower Threat Defense 6.2.2

This procedure is a prerequisite to onboarding an ASA FirePOWER module version 6.2.2 or a Firepower Threat Defense (FTD) version 6.2.2 device. 

To replace the self-signed certificate used by the management interface on the ASA FirePOWER module 6.2.2 and on Firepower Threat Defense (FTD) 6.2.2, you need to generate a new certificate and store it on the disk in the /ngfw/etc/ssl directory for FTD or the /etc/ssl directory for the ASA FirePOWER module, in place of the server.crt and server.key files.

To replace the certificate on an ASA FirePOWER module 6.2.2 or FTD 6.2.2 follow this procedure:

  1. Log in to the FTD or ASA FirePOWER module using the appropriate steps:
  • Log in to FTD: To log in to an FTD device, simply connect to it via SSH using your administrator username and password.
  • Log in to the ASA FirePOWER module:
  1. SSH to the ASA.
  2. Type enable at the command prompt and enter your administrator password when prompted.
  3. Enter session sfr to connect to the ASA FirePOWER module.
  4. Enter your administrator username and password.
  5. At the ASA FirePOWER module prompt, type expert to enter into a shell.
  1. Elevate your privileges to the root user by typing sudo su at the prompt. For example:

admin@firepower:~$ sudo su

  1. When prompted, enter the admin password.
  2. Connect to the directory where the server.crt and server.key files are stored:
  • On the FTD, connect to the /ngfw/etc/ssl directory.
  • On the ASA FirePOWER module, connect to the /etc/ssl directory. 
  1. Move or rename the existing server.crt and server.key files in the directory in case you need to restore them. 
  2. Using OpenSSL, generate a new self-signed certificate using this command: 

openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes

  1. Reboot the ASA FirePOWER module or FTD device.
  • Was this article helpful?