FMCv 6.7 HTTPS certificate

vsurresh — Wed, 27 Jan 2021 11:47:45 GMT

Hi, all.

I'm trying to import HTTPS certificate into FMCv running 6.7 code. I'm getting an 'Error Unable to verify certificate.'

Steps I took with OpenSSL to generate the cert:

Generated CSR from the FMC
Get the CSR signed by the Internal CA.
Tried to import the cert into FMC

This is what the cert looks like:

pi@raspberrypi:~/certs $ openssl x509 -in fmc-01.packet.lan.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1b:5e:9c:47:6b:1a:c1:50:e2:78:2a:39:b6:b6:f0:e8:c9:e4:2b:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = London, L = Essex, O = Packetswitch, OU = IT, CN = packetswitch
        Validity
            Not Before: Jan 26 22:20:23 2021 GMT
            Not After : May  1 22:20:23 2023 GMT
        Subject: C = GB, CN = fmc-01.packet.lan, O = Packet, OU = IT, L = London, ST = London
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a2:e8:b1:00:74:7b:5f:56:3d:63:88:86:1f:4e:
                    f0:ac:47:cc:7e:64:05:03:31:0a:bc:d0:d1:e8:b2:
                    b5:6f:07:02:fa:25:00:ad:4b:ea:0a:08:0c:1e:84:
                    55:b5:83:df:a6:a2:e6:8b:52:46:e0:2b:a6:9f:d1:
                    87:7d:6b:06:74:68:f7:87:da:60:a8:9c:9e:25:fd:
                    13:1f:79:a1:5f:af:31:7e:8d:c6:4f:7c:66:ae:31:
                    c9:f5:84:ad:df:15:2d:4f:49:50:03:ea:13:1b:65:
                    24:81:b5:48:1e:6b:59:46:f9:1c:98:17:12:21:cb:
                    e4:62:a2:07:ac:15:06:04:46:97:e5:3c:6a:3d:55:
                    f0:33:5b:b2:45:8f:e7:3d:81:60:5f:ce:ae:a5:b6:
                    02:31:ba:02:c0:8a:3a:c8:b7:c6:dc:6c:d1:ba:3f:
                    d8:98:28:43:e0:8e:07:56:68:5f:bf:55:f7:af:2c:
                    60:cf:68:1e:bb:e1:51:c4:0e:a6:8b:10:2b:38:87:
                    4e:b7:02:9f:e7:86:f9:83:db:84:29:fe:5f:94:70:
                    56:50:d9:31:aa:e9:4e:ac:9f:5f:c3:b4:03:42:ab:
                    28:67:f4:cc:b7:d2:28:e6:dd:8f:e1:12:1a:67:d1:
                    a3:5c:80:b4:c9:0d:9e:1d:f6:f2:cb:77:94:a8:1f:
                    6b:37
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:7E:32:E8:AF:7D:AC:29:85:68:64:B4:60:AF:FD:FC:EA:83:CA:38:8E

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:fmc-01.packet.lan
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                02:55:85:ED:D9:1F:BC:4D:FD:A8:AC:18:0D:E7:8D:A3:8E:24:11:EF
    Signature Algorithm: sha256WithRSAEncryption
         c7:15:89:6f:fa:c1:eb:f8:63:c0:76:db:3d:67:98:9a:1f:84:
         65:94:bd:8e:ce:e8:cf:bd:db:f2:35:fc:4b:ca:fb:16:6b:f3:
         0b:34:14:d4:35:a9:8f:22:3b:6c:f5:7e:6e:41:0d:10:4a:a1:
         e9:a0:6e:07:20:d4:84:d2:1c:17:01:f7:e5:e1:46:ce:48:e0:
         0f:94:7d:ce:3f:a3:05:01:78:76:5b:ed:b7:35:e5:2a:fd:26:
         62:5e:78:90:2c:2b:b3:36:95:2a:c0:8a:34:1c:4b:41:49:b3:
         e2:44:ee:56:74:d0:17:ef:1e:6a:9b:a1:ec:4f:11:4c:64:78:
         c0:e2:f5:be:a2:d9:15:a3:96:5c:61:2a:65:f8:f8:84:b4:d2:
         81:38:c8:cb:48:cc:15:82:ae:25:44:b4:ae:e6:d3:be:33:81:
         cc:c9:4c:93:8f:2b:1e:90:32:a0:8a:a1:00:ee:d9:a3:4e:2a:
         81:a7:fd:d7:38:91:b7:2e:1d:79:9c:7b:6d:3a:a2:9d:69:8c:
         52:d8:c8:37:f8:cd:eb:ce:8d:0f:d7:33:81:2b:f3:89:ca:90:
         94:86:dd:cf:a5:18:a8:eb:93:65:d6:fc:d7:a8:f9:41:07:56:
         ab:7e:5a:ed:ca:13:9a:74:2a:b3:6a:32:86:10:0d:a1:a3:ad:
         c9:58:34:5b

This is the OpenSSL config I used.

pi@raspberrypi:~/certs $ cat fmc-01.txt 
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash

[req]
req_extensions = v3_req

[alt_names]
DNS.1 = fmc-01.packet.lan

Note - If I set the basic constraints to FALSE, I get a different error 'Error Basic constraints are not critical or not defined.'

Thanks

Re: FMCv 6.7 HTTPS certificate

Mohammed al Baqari — Wed, 27 Jan 2021 12:25:20 GMT

Hi,

When you sign the certificate, try to export it from CA using password
protection then import to FMC with option encrypted check and enter the
password.

**** please remember to rate useful posts

Re: FMCv 6.7 HTTPS certificate

Marvin Rhoads — Wed, 27 Jan 2021 12:35:52 GMT

Are you importing the certificate and private key combined? Your FMC will need both in order to present the certificate as its own.

Re: FMCv 6.7 HTTPS certificate

vsurresh — Wed, 27 Jan 2021 12:39:23 GMT

Hi, Marvin.

I created the CSR on the FMC and get it signed by the internal CA. I believe the private key stays with FMC and we won't have access via the GUI.

Re: FMCv 6.7 HTTPS certificate

vsurresh — Wed, 27 Jan 2021 15:13:29 GMT

I managed to fix it by setting the basic constraints field. Thanks, everyone.

pi@raspberrypi:~/certs $ cat fmc-01.txt 
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash

[req]
req_extensions = v3_req

[alt_names]
DNS.1 = fmc-01.packet.lan

topic FMCv 6.7 HTTPS certificate in Network Security

FMCv 6.7 HTTPS certificate

Re: FMCv 6.7 HTTPS certificate

Re: FMCv 6.7 HTTPS certificate

Re: FMCv 6.7 HTTPS certificate

Re: FMCv 6.7 HTTPS certificate