Actually I imported the private key along with certificate. When clicking Import HTTPS Server Certificate it gives blank space for 3 things: Certificate, Private Key (Optional) and Chain Certificate (Optional). I added all of them with no result. I will try the solution you provided and will reply back the result asap.

Thanks in advance

It's been several months since I did one but I recall the .p12 worked for me while .cer +.key did not.

Hmm. New type of error appeared. Now FMC says "Basic constraints not critical or not identified". I checked our RootCA and SubCA certificate and in both of them Basic constraints were "None". Probably this cause error. Do you now how to solve this problem?

If your internal clients already trusting the internal root CA and issuing sub-CA, there's no need to import the full chain. If that's the case, try omitting the chain.

In my lab I used a basic server certificate template on my CA (Windows server 2016) and it installed fine onto my FMC.

Actually, for the first time I only used Private key And certificate, no any chain certificate. But it gave an error Basic Constraints not critical

I've ran into this issue several times ever since the FMC was Sourcefire's Defense Center. It's a bug that seems to keep coming back. I solved it via the CLI: https://kimiushida.com/bitsandpieces/misc/cisco-fmc-6.3-cert-install-via-cli

This is probably a non-sanctioned procedure, but this has been my workaround. If a security product can't get certificate processing right and forces you to approve a self-signed cert to manage a security product...

@kimiushida nice work around. Thanks for sharing.

I agree - one would think it should be trivial to properly add a certificate to a security product's web server.

Better yet, Cisco should have a reusable validated module that does that very thing across all of its security products.

Hi guys,

I am trying to import an AD signed CERT, with CSR generated with OpenSSL due to SAN field missing from current Firepower CSR generation page.

If I fill in the 1st two boxes: signed cert + private key, I receive Basic constraints are not critical or not defined.

If I fill in all three boxes: signed cert + private key + CA, I receive Unable to process CA certificate. as I had the CA cert in p7b format.

I extracted it to cer format using: openssl pkcs7 -print_certs -in CA.p7b -out CA.cer

and now I tried to fill in again all three boxes but I end up with a new message: The given certificate chain is invalid. 

Please advise!

What certificate template is your CA using?

The FMC doesn't need to trust the issuing CA.

It is generally when a client connects to a server that we care about the CA that issued the server's CA. In that case we are trusting that CA to have verified the identity of the server (based on the CA accepting the CSR and issuing a signed certificate).

Sometimes we might want the server to also have the  intermediate CA in it's chain as our clients might only trust the root CA and not the intermediate CA that actually issued the certificate.