Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Latest version of CSAMC5.2 - if domain suffix changed, need new cert?

I know if MC name is changed, then the certificate has to be recreated along with other steps. How about if only the domain suffix is changed but the name stays the same? Will the agents still be okay?


Re: Latest version of CSAMC5.2 - if domain suffix changed, need

Hi William,

This is a good question and the first time I have heard it.

My answer is no because a fully qualified domain name (FQDN) includes the domain suffix which you want to change.

The FQDN, as you well know, is necessary when the Agent Kit is created on the CSA MC. This kit includes both the FQDN and the Certificate necessary for Agents to communicate with CSAMC.

As a bit of a review I googled FQDN and here is a definition:

"A fully qualified domain name consists of a host and domain name, including top-level domain. For example, is a fully qualified domain name. www is the host, webopedia is the second-level domain, is the top level domain.

A FQDN always starts with a host name and continues all the way up to the top-level domain name, so is also a FQDN."

Hope this helps.

Please rate all useful responses.



Community Member

Re: Latest version of CSAMC5.2 - if domain suffix changed, need

Thats what I thought; the domain suffix change will be same as a hostname change. I will need to follow the steps for a hostname change (recreating certs, refreshing agent kits, reinstall agents, etc).

Interesting note; when you install CSACC 5.2 in a standalone workgroup, if the domain suffix is not manually defined , the CSAMC setup does not pick it up from the ethernet properties. The "Primary DNS suffix of this computer" has to be manually defined for the installer to have the proper fully qualified domain name, which is what the agent kits will make use of.


Re: Latest version of CSAMC5.2 - if domain suffix changed, need

Hi William,

I agree with Paul that you do not need to recreate the cert and redeploy the agent kits, even with an MC hostname change.

I don't think you need to do anything other than update your DNS records.

I did some testing by changing the MC hostname and domain suffix and the only hiccup I found was that accessing the MC through the browser will always prompt because the certificate will never match.

The host still found the MC as long it could resolve the FQDN through DNS.

If I missed something, let me know.


CreatePlease to create content