topic Re: Cannot Import HTTPS Certificate into FMC - SAN attribute in Network Security

Cannot Import HTTPS Certificate into FMC - SAN attribute

AlexanderD — Tue, 22 Dec 2020 16:19:41 GMT

Hi,

I'm using Cisco Firepower Management Center 1000 version 6.3.0.2. I tried to renew the HTTPS-Certificate under System -> Configuration -> HTTPS Certificate. I generated new certificate our CA and later I tried to import the new certificate. But I got an error (Invalid certificate).

My CA requires a SAN attribute, but the CNAME attribute is optional. CSR's FMC out-of-the-box not supported SAN attribute . Is there a solution to this problem?

Re: Cannot Import HTTPS Certificate into FMC - SAN attribute

Marvin Rhoads — Tue, 22 Dec 2020 16:42:42 GMT

Create your CSR separately from FMC using openssl or something like XCA (Windows freeware). Submit it to the CA and get the signed certificate. Then import the signed certificate and private key into FMC.

Re: Cannot Import HTTPS Certificate into FMC - SAN attribute

AlexanderD — Tue, 22 Dec 2020 17:42:02 GMT

@Marvin Rhoads

I have already issued the certificate directly on our CA (Unipass). I tried to import the separately keys (public, private, chain) without success. What's the advantage of creating CSR using openssl versus importing a signed certificate?

Our CA not supported other templates.

Re: Cannot Import HTTPS Certificate into FMC - SAN attribute

Marvin Rhoads — Tue, 22 Dec 2020 18:08:49 GMT

When you generate a CSR using a tool such as I suggested you have complete control over which fields are included (SAN, CN etc.). That way you can include both the SAN that your CA requires as well as the CN which FMC requires.