topic Re: Firepower: exporting private key of Self-signed certificate in Network Security

Firepower: exporting private key of Self-signed certificate

cpaquet — Wed, 12 Aug 2020 00:07:49 GMT

How can I download (export) the private key of the self-signed certificate created through Object > PKI > Internal CAs ?

The Firepower self-signed certificate is to be installed on corporate computers as Trusted Authority and used by FTD for outbound SSL decryption. If so, the private key needs to be backup, but I can't find where. Under Internal CAs, I see how to download the self-signed cert, but not how to export its key private.

Thank you.

Re: Firepower: exporting private key of Self-signed certificate

Francesco Molino — Wed, 12 Aug 2020 02:25:22 GMT

Hi

To do ssl decryption, on objects management window, under PKI/Internal CAs, generate a self signed CA and use it in your ssl policy.
What you need is to export this certificate and add it into your machine on the trusted CA vault. Private key isn't needed here.

Re: Firepower: exporting private key of Self-signed certificate

Mohammed al Baqari — Wed, 12 Aug 2020 05:29:30 GMT

Hi,

If it you enabled exportable during the certificate generation then from
CLI you can do it as follow

crypto ca export pkcs12

**** please remember to rate useful posts

Re: Firepower: exporting private key of Self-signed certificate

cpaquet — Wed, 12 Aug 2020 19:31:40 GMT

Mohammed, I'm on the PKI > Generate Internal Certificate Authority window, to generate a new Self-signed cert from FMC, but I don't see an option to make that cert / key pair exportable. I have attached the screen capture.

Re: Firepower: exporting private key of Self-signed certificate

cpaquet — Wed, 12 Aug 2020 19:37:07 GMT

Francesco, my post is mentioning the private key because we want to backup in case we need to restore FMC. We know that the private key is not needed on workstation to perform SSL decrypt; that only the root cert of the signing authority of FMC identity cert needs to be installed on the certificate store of inside hosts (and in both stores: default window store used by Chrome, IE, Edge, etc) and in Firefox cert store.) Again, my question is: how do I export, for backup, the private key of a FMC Self-Signed certificate.

Regards.

Re: Firepower: exporting private key of Self-signed certificate

Francesco Molino — Fri, 14 Aug 2020 03:03:32 GMT

Sorry, my bad I didn't understood your question.

So when you go into FMC, under objects/PKI/Internal CA, click on edit icon on your selfsigned Internal CA.

It will prompt you a password and export a p12 file.

Once you have the p12 file exported, run the following command:

openssl pkcs12 -info -in nameofyourexportedfile.p12 -nodes

This command will ask you to type in a password which is the one you typed in FMC at the export step.

It will show you your certificate and private key.

Re: Firepower: exporting private key of Self-signed certificate

cpaquet — Thu, 03 Sep 2020 00:28:19 GMT

Thanks Francesco for the help. However, I dont get the result you are suggesting.

When I got to FMC > Objects > Objects Management > PKI > Internal CAs and I edit the Self-Signed certificate. contrary to what you wrote, I am not "prompt you a password and export p12. " When I click edit on the self-signed certificate, it just opens the Self-Signed cert where the only editable field is the Name of the object. All the other fields are none-editable. The only button is DOWNLOAD, which downloads the .p12 in the Download folder of the local computer from which FMC is being accessed. I have attached the screen capture - no export functionality.

Question: are you sure that the step you are describing with the capabilities to export are available to self-signed certificates? Or wouldn't this functionality be reserved only to identity cert signed by a Trusted Authority?

Regards,

Cath.

Re: Firepower: exporting private key of Self-signed certificate

Marvin Rhoads — Thu, 03 Sep 2020 03:44:31 GMT

For self-signed certificates we don't have the option of either making the key exportable when creating them or exporting it later.

If it's a virtual FMC you can backup the entire VM from outside of FMC (e.g a VMware snapshot).

If you want just the key and certificate then don't use self-signed. Generate the key and csr externally using openssl (cli) or XCA (open source Windows GUI-based tool) and save the key and issued certificate from your internal CA using those tools.

Re: Firepower: exporting private key of Self-signed certificate

cpaquet — Thu, 03 Sep 2020 22:45:40 GMT

Thank you Marvin for the straight answer. Much appreciated.

Re: Firepower: exporting private key of Self-signed certificate

Francesco Molino — Thu, 03 Sep 2020 23:20:51 GMT

Here is a self signed certificate that I can export without problem.

I'm sorry to hear you can't do it.