Cant import a trusted certificate to Firepower

andy_4578 · ‎05-10-2018

Were trying to install a GoDaddy ssl cert onto our Firesight management center and for some reason every certificate version we try, we get an error message....

CER (.crt) Failed to validate Cert Based EO: The certificate and key do not match.

or

PKCS12 (.pfx with key) - Error uploading file. Please verify that this is a certificate and it uses a supported PKCS encoding.

or

CER (.crt) Failed to validate Cert Based EO: The certificate is invalid.

Any help would be greatly appreciated

Karsten Iwen · ‎05-10-2018

Where and how in FMC did you try it?

andy_4578 · ‎05-10-2018

Under the Objects\PKI\Internal CA and selecting the import CA button.

Then either browsing to the cert or cut/paste, every which way we try it fails.

Karsten Iwen · ‎05-10-2018

That's the wrong place to import this certificate. Under "CA" you import a cert that has the capability to sign other certificates to do outgoing TLS-inspection.

What do you want to do with the certificate:

Access the FMC without a certificate error? Then import it unter System -> Configuration -> HTTPS Certificate
Use it for TLS-inspection for incoming connections? Then import it under "Internal Certs"

andy_4578 · ‎05-11-2018

Hi,

Thanks for your reply. We have an SSL uploaded to get rid of the untrusted connection for the FMC which works fine.

We're trying to set up SSL "Man in the Middle" inspection for HTTPS traffic but for whatever reason the certificate wont import

Karsten Iwen · ‎05-11-2018

You can't use a public certificate for that. These certificates are for servers but can't be used to generate certificates what is needed here.

You have to either generate the certificate on FMC and distribute it to all clients, or generate a CSR on the FMC and get a cert from your own trusted CA with a certificate-server template.

p.juarezponte · ‎10-31-2018

Hello,

We are trying to import a certificate from our syslog server.

We want to implement a secure syslog using tls.

I have a certificate (.pem) and a private key (.pem) which was provided by syslog admin team.

I go to System -> Configuration -> Audit log certificate -> Import Audit client certificate

Trying to import them, always get (I tried cert+key and the cert only):

I tried to do it via cli and I get an error too:

ConfigurAudit_cert> import

*************** Import Audit Client Certificate **************

1   Import Client Certificate and Private Key
2   Import Certificate Chain
0   Exit

**************************************************************
Enter choice: 1
Enter your audit client certificate (PEM format) here:
-----BEGIN CERTIFICATE-----
MIIEETCCAsmgAwIBAgIESZYC0jANB
wD/ZLXTNZTaje13GrU8yUovMh5C6q6nWqCR6N9Kv6OS8mk0yaw==
-----END CERTIFICATE-----

Enter your private key (PEM format) here:
-----BEGIN RSA PRIVATE KEY-----
MIIFewIBAAKCATEA2Nnbv1hDCzEaD+C+HEqEw3zQwMTOe
2eeTVOoTVoI3tSyYRQCiitObdG3ldk3C+LdSxrI8v92XDq/FBK
3dUOJ/lHFU39PZmLTktq
-----END RSA PRIVATE KEY-----

Client certificate import failed, exiting...

Don't know if anybody has tried to send secure syslog.

I am running 6.2.3.4.

Marvin Rhoads · ‎10-31-2018

Assuming you've verified the certificate and key work together (e.g., with OpenSSL), you may be hitting one of several recent bugs:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg28901/?rfs=iqvred

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf42713/?rfs=iqvred

I've seen this on very recent 6.2.3.x code where FMC does not allow the import of a well-formed certificate.

I'd open a TAC case to confirm. That also helps prioritize the bug fix.