We manage AnyConnect VPN gateways for several customers. Every 90 days, someone's Let's Encrypt certificate expired and we'd get the call. Export CSR, submit to ACME, download cert, import, apply, verify. Multiply that by a dozen ASAs and you've burned a morning on certificate busywork.
Cisco finally added native ACME support in ASA 9.23.1. The firewall handles enrollment and auto-renewal itself. No external tooling, no calendar reminders.
Why This Matters Now
Let's Encrypt's 90-day certificates were just the beginning. The CA/Browser Forum passed Ballot SC-081, and the industry is moving to even shorter lifetimes. DigiCert's breakdown of the timeline:
- March 2026: Maximum 200 days validity
- March 2027: Maximum 100 days validity
- March 2029: Maximum 47 days validity
By 2029, even commercial certificates will need renewal every 47 days. Manual processes won't scale. If you're not automating certificate management now, you're building technical debt.
The good news: ACME works with any compliant CA, not just Let's Encrypt. Once you have automation in place, the shrinking validity windows become a non-issue.
Requirements
- ASA 9.23.1 or later (9.24 recommended for bug fixes)
- Port 80 reachable from the internet to your enrollment interface during HTTP-01 challenge
- DNS A record pointing your FQDN to the enrollment interface IP
- ISRG Root X1/X2 in your trustpool (pre-installed on recent ASA versions)
Configuration
Create a trustpoint with ACME enrollment parameters:
crypto ca trustpoint acme-vpn
enrollment protocol acme authentication http01 OUTSIDE
enrollment protocol acme url LetsEncrypt
enrollment interface OUTSIDE
fqdn vpn.example.com
subject-name CN=vpn.example.com
keypair rsa modulus 4096
auto-enroll 80 regenerate
validation-usage ssl-server
crl configureThe important lines:
enrollment protocol acme authentication http01 OUTSIDE— Use HTTP-01 challenge on the OUTSIDE interfaceenrollment protocol acme url LetsEncrypt— Built-in alias for Let's Encrypt's ACME directory. You can also specify a custom URL for other ACME providersenrollment interface OUTSIDE— Interface that responds to ACME challengesauto-enroll 80 regenerate— Renew at 80% of validity (roughly 60 days for Let's Encrypt's 90-day certs). Theregeneratekeyword creates a new keypair on renewalvalidation-usage ssl-server— Required to validate the certificate chain against the ASA's trustpool
Running Enrollment
Authenticate the trustpoint first, then enroll. Both commands run from configuration mode:
conf t
crypto ca authenticate acme-vpn
crypto ca enroll acme-vpnThe ASA will:
- Generate the keypair (if not already present)
- Create a CSR
- Request the certificate from Let's Encrypt
- Respond to the HTTP-01 challenge on port 80
- Download and install the certificate
Watch for the enrollment to complete:
show crypto ca certificates acme-vpnApplying the Certificate
Once enrolled, apply the certificate to your SSL/TLS services:
ssl trust-point acme-vpn OUTSIDEFor AnyConnect VPN, this makes the certificate available for client connections on the OUTSIDE interface. The same trustpoint can be referenced for other SSL services like ASDM.
Troubleshooting
Watch for these syslog messages during enrollment:
%ASA-5-717067: Starting ACME certificate enrollment
%ASA-5-717068: ACME certificate enrollment succeeded
%ASA-5-717069: ACME enrollment fails
%ASA-5-717070: Keypair regenerated for manual ACME certificate enrollmentIf enrollment fails, enable ACME-specific debugging (verbosity 1–255):
debug crypto ca acme 255Check that the ISRG root certificates are in your trustpool:
show crypto ca trustpool | include ISRGIf missing, import the Cisco-maintained bundle:
crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7bVerify the enrolled certificate:
show crypto ca certificates acme-vpnThis shows the certificate serial number, validity dates, and next renewal date. If the certificate is missing or shows errors, confirm the ASA can reach the ACME server and that all domain names in the trustpoint resolve to the ASA's enrollment interface.
With the CA/Browser Forum pushing validity down to 47 days by 2029, manual renewal is a dead end regardless of the CA you use. ACME on ASA works with any compliant provider, not just Let's Encrypt. Get automation in place now and the shrinking windows become irrelevant.