Troubleshooting Threat Defense Certificates

See Secure Firewall Threat Defense VPN Certificate Guidelines and Limitations to determine if variations in your certificate enrollment environment may be causing a problem. Then consider the following:

• Ensure there is a route to the CA Server from the device.

  If the CA Server's host name is given in the Enrollment Object, use Flex Config to configure DNS appropriately to reach the server. Alternatively, use the IP Address of the CA Server.

• If you are using a Microsoft 2012 CA Server, the default IPsec Template is not accepted by the managed device and must be changed.

  To configure a working template, follow these steps as you use MS CA documentation as a reference.

  1. Duplicate the IPsec (Offline Request) template.

  2. In Extensions > Application policies, select IP security end system, instead of the IP security IKE intermediate.

  3. Set the permissions and the template name.

  4. Add the new template and change the registry settings to reflect the new template name.

• On the management center, you might receive the following health alert related to the threat defense device:

  Code - F0853; Description - default Keyring's certificate is invalid, reason: expired

  In such cases, use the following command to regenerate the default certificate in CLISH CLI:

  > system support regenerate-security-keyring default

• A red cross appears in the CA certificate status with the following error:

  Fail to configure CA certificate

  Solution: See Troubleshoot Certificate Error on FMC.

• To check the list of the certificates in a .pfx file, use tools such as certutil or openssl. You can see the whole chain with ID certificate, SubCA certificate, and CA certificate (if any).

  • certutil -dump cert.pfx

  • openssl pkcs12 -info -in cert.pfx

• The following error appears:

  Identity certificate import required

  Solution: See Troubleshoot Certificate Error "Identity certificate import required" on FMC.