topic Re: Unable to import server certificate to FMC in Network Security

Unable to import server certificate to FMC

lyutov_dv — Fri, 21 Feb 2020 14:41:42 GMT

hi
I'm trying to import server certifacate issued by our corporate CA to FMC, but i always get error "Unable to verify certificate."

In /var/log/httpd/httpsd_error_log i see errors:

[Thu Nov 09 08:59:37.040550 2017] [cgi:error] [pid 27221] [client 10.12.91.238:33111] AH01215: No such file or directory:/etc/sf/crl.conf at /usr/local/sf/lib/perl/5.10.1/SF/X509Certificates.pm line 919.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://fmc.isd.lamoda.tech/admin/https_cert.cgi
[Thu Nov 09 08:59:37.040652 2017] [cgi:error] [pid 27221] [client 10.12.91.238:33111] AH01215: (Unable to verify certificate.) in /usr/local/sf/htdocs/admin/https_cert.cgi:163 at /usr/local/sf/lib/perl/5.10.1/SF.pm line 120.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://fmc.isd.lamoda.tech/admin/https_cert.cgi

I checked directory /etc/sf/ and there is no crl.conf in it.

What might be a reason?

Re: Unable to import server certificate to FMC

Bogdan Nita — Thu, 09 Nov 2017 14:05:56 GMT

Which version is the FMC running ?

You might be hitting the bug CSCvf42713

Re: Unable to import server certificate to FMC

lyutov_dv — Thu, 09 Nov 2017 14:50:40 GMT

Perhaps... buy it has fixed status in 6.2.2.1 version
and i upgrade my fmc to 6.2.2.1 and this problem still exists

Re: Unable to import server certificate to FMC

ddefoort — Fri, 17 Nov 2017 22:42:49 GMT

I currently have a tac open on this myself. I too am at 6.2.2.1-73

Re: Unable to import server certificate to FMC

Richard Krug — Wed, 22 Nov 2017 06:00:04 GMT

Cisco bug CSCvg28901 matches this:

Symptom:
Certificate with Basic Constraints extension not critical will not be imported on FMC or sensor with error:
Unable to install certificate

I modified the extensions in my "server_cert" block, and changed to look like this:

#basicConstraints = CA:FALSE

basicConstraints = critical, CA:FALSE

I again signed the certificate, and this time was able to import it.

This link provides a good explanation as to why this is needed, but it seems to be related to signing with an intermediate CA.

Re: Unable to import server certificate to FMC

sultan.ahmed21 — Wed, 06 Dec 2017 09:53:01 GMT

How do you make basic constraints critical? Could you please explain a bit.

Re: Unable to import server certificate to FMC

rolszowy — Thu, 07 Dec 2017 09:38:11 GMT

It all depends what do you use for issuing certificates. You can open your certificate in XCA, it's a free tool which allows you to work on certificates and see all the properties in graphical form.

When you import your certificate there, you can see if Basic Constraints critical or not (here, the attribute is present):

You can also right-click, then go Transform>Similar Certificate>Extensions and under Basic Constraints at the top, you will see Critical button:

This must be selected on the CA for the certificates you want to issue.

Regards,

Radek

Re: Unable to import server certificate to FMC

Richard Krug — Thu, 07 Dec 2017 18:25:55 GMT

I'm using OpenSSL for this. In OpenSSL, I have a config file:

/root/ca/intermediate/openssl.cnf

This file has the following extension block, in which I find basicConstraints:

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
#basicConstraints = CA:FALSE
basicConstraints = critical, CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = <REMOVED>
authorityInfoAccess = OCSP;URI:<REMOVED>

I prepended "critical," and save the file.

When signing the CSR with OpenSSL, I used this command:

openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/fmc.mydomain.net.csr.pem -out intermediate/certs/fmc.mydomain.net.cert.pem

I was then able to import the certificate.

Re: Unable to import server certificate to FMC

Richard Krug — Thu, 07 Dec 2017 18:35:06 GMT

I'm using OpenSSL for this. In OpenSSL, I have a config file:

/root/ca/intermediate/openssl.cnf

This file has the following extension block, in which I find basicConstraints:

I prepended "critical," and save the file.

When signing the CSR with OpenSSL, I used this command:

openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/fmc.mydomain.net.csr.pem -out intermediate/certs/fmc.mydomain.net.cert.pem

I was then able to import the certificate.

Re: Unable to import server certificate to FMC

tmoore — Wed, 14 Feb 2018 16:12:31 GMT

I'm having this same issue and after modifying the cert to use basicConstraints = critical, CA:FALSE, I was able to import the certificate without getting the "unable to verify certificate" error message. But after the import I still don't see the new cert under HTTPS Certificate; even after a reboot I still only show the self signed cert as the current https server cert. What am I missing?

Re: Unable to import server certificate to FMC

rolszowy — Wed, 14 Feb 2018 18:11:01 GMT

This sounds like a question for TAC, but what you can do is to go to expert mode and manually check /etc/ssl/server.* files.

I’m assuming that they were not replaced. In that case you can manually edit them and paste identity certificate and private, unencrypted key there. After that you need to restart httpsd process by:

pmtool RestartById httpsd

command.

From that point, management interface should display this new certificate.

Regards,

Raden

Re: Unable to import server certificate to FMC

mikael.lahtela — Wed, 14 Feb 2018 22:28:20 GMT

I noticed today that in some cases it won't give you an error but not importing the SSL certificate either if something is still wrong with it.
I finally managed to import the certificate, but still need to solve some issues to make it valid for browsers, going to take a look at this tomorrow and try to write it down.
I think FMC needs more error checking on the SSL import tool.

br, Micke

Re: Unable to import server certificate to FMC

randomfortune — Thu, 22 Feb 2018 18:57:00 GMT

I had the same problem where it would finally take the certs without error, but would continue to show the old one. I went and checked the config file via the CLI under /etc/httpd/ssl_certificates.conf

and noticed there were different values loaded to the SSLCertificateFile and SSLCertificateKeyFile fields. I cleared the old values and replaced them with the following:

SSLCertificateFile /etc/ssl/server.crt

SSLCertificateKeyFile /etc/ssl/server.key

Restart the httpsd service with this command to enforce the new values: pmtool RestartByID httpsd

Re: Unable to import server certificate to FMC

argrullo — Thu, 22 Feb 2018 19:55:50 GMT

Hello Everyone,

As some of you have mentioned, the current behavior is a bug. It was not actually fixed on 6.2.2.1.

I have resolved this issue for other customer by performing the import of the certificate thru the CLI.

The steps are not complicated, but they are not intuitive either. It will be required to have a certificate, and the private key used for that certificate.

The below steps are used when creating a new certificate and private key thru the cli.

If you have a cert and private key from an Internal CA, then you could copy and paste that information into two files.

vi /etc/ssl/InternalCACertificate.crt

vi /etc/ssl/InternalCAKey.key

Then you can move to around step 6.

CSCvf42713- cannot import web UI HTTPS server certificate on Firepower Management Center or 7000/8000 Series

The workaround that needs to be performed is below.

admin@Luna:~$ cd Mark/ <---------- Create Directory to use a temporary stage area
admin@Luna:~/Mark$ ls
admin@Luna:~/Mark$ openssl genrsa -out server.key 2048 <------------ Creating the private key that will be used to generate the CSR and the certificate.
Generating RSA private key, 2048 bit long modulus
.........................
......
e is 65537 (0x10001)
admin@Luna:~/Mark$ openssl req -out CSR.csr -key server.key -new -sha256 <------------ Creating the CSR with the private key created in the previous step. Fill out information for the CSR. This CSR can be used to create a certificate from your internal CA. If using your own CA to generate the certificate, then after you generate the certificate, copy the information in to a file named server.key.new. Then skip to step 4.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code []:
State or Province Name []:
Locality Name []:
Organization Name []:
Organizational Unit Name []:
Common Name []:
Email Address []:
admin@Luna:~/Mark$ ls
CSR.csr server.key

admin@Luna:~/Mark$ openssl x509 -signkey server.key -in CSR.csr -req -days 365 -out cert.crt -sha256 <-------------- Creating a self signed certificate from the CSR and the private key.
Signature ok

admin@Luna:~/Mark$ sudo mv server.key /etc/ssl/server.key.new <---------- Moving server key to the required location
Password:
Last login: Fri Dec 29 17:04:52 UTC 2017

admin@Luna:~/Mark$ sudo mv cert.crt /etc/ssl/server.crt.new <----------Moving server certificate to the required location.
Last login: Fri Dec 29 17:07:04 UTC 2017 on pts/1
admin@Luna:~/Mark$ ls
CSR.csr
admin@Luna:~/Mark$ cd /etc/ssl
admin@Luna:/etc/ssl$ ls
TAC.key crl openssl.cnf server.conf server.crt server.crt.new server.crt.older server.key server.key.new

admin@Luna:/etc/ssl$ sudo mv server.crt ./server.crt.original <----------Changing the name on the original server certificate
Last login: Fri Dec 29 17:07:35 UTC 2017 on pts/1

admin@Luna:/etc/ssl$ sudo mv server.key ./server.key.original <----------Changing the name on the original server private key
Last login: Fri Dec 29 17:08:20 UTC 2017 on pts/1
admin@Luna:/etc/ssl$ ls

TAC.key crl openssl.cnf server.conf server.crt.new server.crt.older server.crt.original server.key.new server.key.original

admin@Luna:/etc/ssl$ sudo mv server.crt.new ./server.crt <-------------Changing the name on the new server certificate.
Last login: Fri Dec 29 17:08:37 UTC 2017 on pts/1

admin@Luna:/etc/ssl$ sudo mv server.key.new ./server.key <------------ Changing the name on the new server key
Last login: Fri Dec 29 17:09:05 UTC 2017 on pts/1

admin@Luna:/etc/ssl$ sudo pmtool restartbyid httpsd <-----------Restarting the httpsd process so it reload the certificate.
Last login: Fri Dec 29 17:09:19 UTC 2017 on pts/1

Re: Unable to import server certificate to FMC

tmoore — Fri, 23 Feb 2018 19:18:21 GMT

This process work for me!

Re: Unable to import server certificate to FMC

David Parker — Wed, 28 Feb 2018 00:07:02 GMT

I'm running 6.2.2.1 and I am getting this error as well.

Re: Unable to import server certificate to FMC

argrullo — Wed, 28 Feb 2018 02:43:43 GMT

Hello David,

6.2.2.1 is still affected by the bug. You will need to import the certificate using the CLI.

Re: Unable to import server certificate to FMC

David Parker — Wed, 28 Feb 2018 15:31:04 GMT

Thanks. I do have a ticket open with TAC but still waiting for assistance. I'm running the Threat Defense image. Is it safe to use the cli for this operation?

Re: Unable to import server certificate to FMC

argrullo — Wed, 28 Feb 2018 18:01:43 GMT

Hello David,

Yes it is safe to perform on the CLI. I have performed on multiple customer environments without any issues.

But, if one were to arise, the certificate itself can be regenerated or set to the default and then start over.

Re: Unable to import server certificate to FMC

David Parker — Thu, 01 Mar 2018 15:57:46 GMT

The openssl method from the cli works. Now we are encountering an issue in that modern browsers are ignoring the common name in the cert and instead are using the subject alternative name. By default the Microsoft CA server doesn't issue certs with the san attribute set do we are trying to figure out how to accomplish this.