08-11-2020 05:07 PM
How can I download (export) the private key of the self-signed certificate created through Object > PKI > Internal CAs ?
The Firepower self-signed certificate is to be installed on corporate computers as Trusted Authority and used by FTD for outbound SSL decryption. If so, the private key needs to be backup, but I can't find where. Under Internal CAs, I see how to download the self-signed cert, but not how to export its key private.
Thank you.
Solved! Go to Solution.
09-02-2020 08:44 PM
For self-signed certificates we don't have the option of either making the key exportable when creating them or exporting it later.
If it's a virtual FMC you can backup the entire VM from outside of FMC (e.g a VMware snapshot).
If you want just the key and certificate then don't use self-signed. Generate the key and csr externally using openssl (cli) or XCA (open source Windows GUI-based tool) and save the key and issued certificate from your internal CA using those tools.
08-11-2020 07:25 PM
08-12-2020 12:37 PM
Francesco, my post is mentioning the private key because we want to backup in case we need to restore FMC. We know that the private key is not needed on workstation to perform SSL decrypt; that only the root cert of the signing authority of FMC identity cert needs to be installed on the certificate store of inside hosts (and in both stores: default window store used by Chrome, IE, Edge, etc) and in Firefox cert store.) Again, my question is: how do I export, for backup, the private key of a FMC Self-Signed certificate.
Regards.
08-13-2020 08:03 PM
Sorry, my bad I didn't understood your question.
So when you go into FMC, under objects/PKI/Internal CA, click on edit icon on your selfsigned Internal CA.
It will prompt you a password and export a p12 file.
Once you have the p12 file exported, run the following command:
openssl pkcs12 -info -in nameofyourexportedfile.p12 -nodes
This command will ask you to type in a password which is the one you typed in FMC at the export step.
It will show you your certificate and private key.
09-02-2020 05:28 PM
Thanks Francesco for the help. However, I dont get the result you are suggesting.
When I got to FMC > Objects > Objects Management > PKI > Internal CAs and I edit the Self-Signed certificate. contrary to what you wrote, I am not "prompt you a password and export p12. " When I click edit on the self-signed certificate, it just opens the Self-Signed cert where the only editable field is the Name of the object. All the other fields are none-editable. The only button is DOWNLOAD, which downloads the .p12 in the Download folder of the local computer from which FMC is being accessed. I have attached the screen capture - no export functionality.
Question: are you sure that the step you are describing with the capabilities to export are available to self-signed certificates? Or wouldn't this functionality be reserved only to identity cert signed by a Trusted Authority?
Regards,
Cath.
09-03-2020 04:20 PM
Here is a self signed certificate that I can export without problem.
I'm sorry to hear you can't do it.
08-11-2020 10:29 PM
08-12-2020 12:31 PM
09-02-2020 08:44 PM
For self-signed certificates we don't have the option of either making the key exportable when creating them or exporting it later.
If it's a virtual FMC you can backup the entire VM from outside of FMC (e.g a VMware snapshot).
If you want just the key and certificate then don't use self-signed. Generate the key and csr externally using openssl (cli) or XCA (open source Windows GUI-based tool) and save the key and issued certificate from your internal CA using those tools.
09-03-2020 03:45 PM
Thank you Marvin for the straight answer. Much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide