topic FMC Audit log Certificate error in Network Security

FMC Audit log Certificate error

AMadjeski — Thu, 27 Jul 2023 10:01:08 GMT

I generated a CSR from my FMC for an Audit Log Certificate. I sent that to our PKI admin and he generated a certificate.

When I try to import the certificate I get the following error:

Error

Unable to identify certificate purpose

Any guidance is greatly appreciated.

Re: FMC Audit log Certificate error

Mark Elsen — Thu, 27 Jul 2023 12:15:48 GMT

- Note that for an audit log certificate the FMC Server Certificate must include the clientAuth extended key usage ,

Re: FMC Audit log Certificate error

AMadjeski — Thu, 27 Jul 2023 12:20:48 GMT

Thanks for the response. Can you give me a little more detail on that?

Where do I check to see if that is included?

Does that need to be set prior to generating the CSR for the Audit Certificate?

Re: FMC Audit log Certificate error

Mark Elsen — Thu, 27 Jul 2023 12:34:52 GMT

- Review this article : https://access.redhat.com/solutions/28965 and check your certificate and or generate as needed ,
(look for clientAuth in the document)

Re: FMC Audit log Certificate error

Mark Elsen — Thu, 27 Jul 2023 12:53:51 GMT

- (adding) :

To generate a CSR certificate with clientauth with clientauth parameter included, you can use the following OpenSSL command:

openssl req -new -newkey rsa:4096 -nodes -keyout client.key -out client.csr -clientauth

This command will generate a CSR certificate with the clientauth parameter included. The clientauth parameter tells the CA that the certificate will be used for client authentication.

Here is an explanation of the command line arguments:

-new - This tells OpenSSL to generate a new CSR certificate.
-newkey rsa:4096 - This tells OpenSSL to generate a new RSA key with a key size of 4096 bits.
-nodes - This tells OpenSSL to generate a key without a password.
-keyout client.key - This specifies the output file for the private key.
-out client.csr - This specifies the output file for the CSR certificate.
-clientauth - This tells OpenSSL to include the clientauth parameter in the CSR certificate.

Once you have run the command, you will have a CSR certificate with the clientauth parameter included. You can then submit the CSR certificate to a CA to be signed.

Re: FMC Audit log Certificate error

AMadjeski — Thu, 27 Jul 2023 13:23:42 GMT

I am assuming I should do this from expert mode. I am getting a "Unrecognized flag clientauth" error

Re: FMC Audit log Certificate error

Mark Elsen — Thu, 27 Jul 2023 13:47:50 GMT

- Could be , I haven't tried it myself or generate the certificate
externally and import it ,

M.

Re: FMC Audit log Certificate error

AMadjeski — Mon, 31 Jul 2023 07:33:57 GMT

I still have not found a resolution to this. Has anyone else experienced this issue?

Re: FMC Audit log Certificate error

daveschw — Sun, 10 Dec 2023 22:44:41 GMT

I was able to get passed the "Unable to identify certificate purpose" error. I see the new cert info in the browser, but still get a certificate error in the browser, not FMC specifically. Working on that. I believe it's my DNS.

I used an Ubuntu Linux server where I already created a CA to respond to CSRs for my internal lab. You can also use a third part service. My steps are specific to the Linux box.

Here's what I did to get passed the error:

In FMC click on the System settings cog -> Configuration -> HTTPS Certificate -> Generate NEW CSR
Fill in the pop-up form information.
Copy the PEM to a simple text editor.
Paste the PEM into your favorite text editor and then save it. Make sure the name you give it ends with .csr so you know what this file is for when you look at it again in the future.
Create a new extension file called v3.ext in your favorite text editor.

Put this inside the file and save it:

subjectAltName = DNS:fmcname.domain.local
extendedKeyUsage = serverAuth, clientAuth

Run this command in the Linux box to create a CSR response that the FMC will accept. Depending upon which directory you are doing this in, you may need to use sudo.

openssl x509 -req -sha256 -in fmcname.domain.local.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out fmcname.domain.local.cert.pem -days 1000 -extfile v3.ext

Check the purpose of the certificate you just created with this command.
```
openssl x509 -noout -text -purpose -in fmcname.domain.local.cert.pem
```
Look for the Subject Alternative Name and Extended Key Usage in your output to match the v3.ext file contents.
View the new certificate PEM contents and copy to clipboard.
Back in FMC, click "Import HTTPS Server Certificate".
Paste clipboard contents into the "Server Certificate" section.
Click the "Save" button.

You should expect to not receive a "Unable to identify certificate purpose" error and also see the "Current HTTPS Server Certificate" information update.

If you are not getting the same behavior, please post here. If this post helped you, please give it a thumbs up.

Securely,

Dave

Re: FMC Audit log Certificate error

Marvin Rhoads — Mon, 11 Dec 2023 03:51:46 GMT

Basically this stems from the certificate template used by the issuing CA. As noted, tweaking the parameter in the CSR can sometime override this.