cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5764
Views
10
Helpful
13
Replies

Cannot Import HTTPS Certificate into FMC

Hello, everyone. I want to add HTTPS Certificate into FMC for WEB GUI Interface so that my browser will recognize it and won`t give an error. I generated CSR and PrivateKEY using OpenSSL. Then I submitted CSR to Windows Certificate Service of our internal company. Downloaded Base 64 encoded cert and downloaded certificate chain. Added RootCA and SubCA into FMC through Objects->PKI->Trusted CAs. When I want to import web server certificate and add server certificate, private key and chain certificate i got an error: "Unable to process CA certificate". Hope someone will help me to solve this problem. 

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

You may be hitting one of several recent bugs:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg28901/?rfs=iqvred

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf42713/?rfs=iqvred

 

We have seen this on very recent 6.2.3.x code where FMC does not allow the import of a well-formed certificate.

 

I'd open a TAC case to confirm. That also helps prioritize the bug fix.

View solution in original post

13 REPLIES 13
Marvin Rhoads
VIP Community Legend

FMC can't import the certificate to use for itself since it does not have the private key.

 

If you combine the issued certificate and private key into a .p12 (PKCS#12 or .pfx) file and import that into FMC it will work.

Actually I imported the private key along with certificate. When clicking Import HTTPS Server Certificate it gives blank space for 3 things: Certificate, Private Key (Optional) and Chain Certificate (Optional). I added all of them with no result. I will try the solution you provided and will reply back the result asap.

 

Thanks in advance

It's been several months since I did one but I recall the .p12 worked for me while .cer +.key did not.

Hmm. New type of error appeared. Now FMC says "Basic constraints not critical or not identified". I checked our RootCA and SubCA certificate and in both of them Basic constraints were "None". Probably this cause error. Do you now how to solve this problem?

If your internal clients already trusting the internal root CA and issuing sub-CA, there's no need to import the full chain. If that's the case, try omitting the chain.

 

In my lab I used a basic server certificate template on my CA (Windows server 2016) and it installed fine onto my FMC.

Actually, for the first time I only used Private key And certificate, no any chain certificate. But it gave an error Basic Constraints not critical

You may be hitting one of several recent bugs:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg28901/?rfs=iqvred

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf42713/?rfs=iqvred

 

We have seen this on very recent 6.2.3.x code where FMC does not allow the import of a well-formed certificate.

 

I'd open a TAC case to confirm. That also helps prioritize the bug fix.

View solution in original post

I've ran into this issue several times ever since the FMC was Sourcefire's Defense Center. It's a bug that seems to keep coming back. I solved it via the CLI: https://kimiushida.com/bitsandpieces/misc/cisco-fmc-6.3-cert-install-via-cli

 

This is probably a non-sanctioned procedure, but this has been my workaround. If a security product can't get certificate processing right and forces you to approve a self-signed cert to manage a security product...

@kimiushida nice work around. Thanks for sharing.

I agree - one would think it should be trivial to properly add a certificate to a security product's web server.

Better yet, Cisco should have a reusable validated module that does that very thing across all of its security products.

Hi guys,

 

I am trying to import an AD signed CERT, with CSR generated with OpenSSL due to SAN field missing from current Firepower CSR generation page.

 

If I fill in the 1st two boxes: signed cert + private key, I receive Basic constraints are not critical or not defined.

If I fill in all three boxes: signed cert + private key + CA, I receive Unable to process CA certificate. as I had the CA cert in p7b format.

I extracted it to cer format using: openssl pkcs7 -print_certs -in CA.p7b -out CA.cer

 

and now I tried to fill in again all three boxes but I end up with a new message: The given certificate chain is invalid. 

 

Please advise!

 

 

What certificate template is your CA using?

Hi Marvin,

Thanks for the quick reply! It's purely an internal Microsoft 2016 CA (http://<ip address of server>/certsrv)
What I did in the meantime:
- SSH as root on the Firepower server and took a look on the config
+ more /etc/httpd/ssl_certificates.conf
+ more /etc/httpd/httpsd.conf
- based on the certificates location I then made a backup of the current ones and then replaced private key and cert with the one I got from my local AD CA
+ cp /etc/ssl/server.key /etc/ssl/server.key.bak
+ cp /etc/ssl/server.crt /etc/ssl/server.crt.bak
+ cat >/etc/ssl/server.key (paste my new private key)
+ cat >/etc/ssl/server.crt (paste my new private key)
- restarted the daemon and it worked
+ pmtool restartbyid httpsd

I do have a question though: why have this worked without me needing to also ADD / change the CA certificate on FMC?

The FMC doesn't need to trust the issuing CA.

It is generally when a client connects to a server that we care about the CA that issued the server's CA. In that case we are trusting that CA to have verified the identity of the server (based on the CA accepting the CSR and issuing a signed certificate).

Sometimes we might want the server to also have the  intermediate CA in it's chain as our clients might only trust the root CA and not the intermediate CA that actually issued the certificate.

Content for Community-Ad