Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7040
Views
5
Helpful
9
Replies

Firepower: exporting private key of Self-signed certificate

Go to solution
cpaquet
Level 1
Level 1

‎08-11-2020 05:07 PM

How can I download (export) the private key of the self-signed certificate created through Object > PKI > Internal CAs ?

 

The Firepower self-signed certificate is to be installed on corporate computers as Trusted Authority and used by FTD for outbound SSL decryption.  If so, the private key needs to be backup, but I can't find where.  Under Internal CAs, I see how to download the self-signed cert, but not how to export its key private.  

 

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-02-2020 08:44 PM

For self-signed certificates we don't have the option of either making the key exportable when creating them or exporting it later.

If it's a virtual FMC you can backup the entire VM from outside of FMC (e.g a VMware snapshot).

If you want just the key and certificate then don't use self-signed. Generate the key and csr externally using openssl (cli) or XCA (open source Windows GUI-based tool) and save the key and issued certificate from your internal CA using those tools.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎08-11-2020 07:25 PM

Hi

To do ssl decryption, on objects management window, under PKI/Internal CAs, generate a self signed CA and use it in your ssl policy.
What you need is to export this certificate and add it into your machine on the trusted CA vault. Private key isn't needed here.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
cpaquet
Level 1
Level 1
In response to Francesco Molino

‎08-12-2020 12:37 PM

Francesco, my post is mentioning the private key because we want to backup in case we need to restore FMC.  We know that the private key is not needed on workstation to perform SSL decrypt; that only the root cert of the signing authority of FMC identity cert needs to be installed on the certificate store of inside hosts (and in both stores:  default window store used by Chrome, IE, Edge, etc) and in Firefox cert store.)  Again, my question is: how do I export, for backup, the private key of a FMC Self-Signed certificate.

Regards.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to cpaquet

‎08-13-2020 08:03 PM

Sorry, my bad I didn't understood your question.

 

So when you go into FMC, under objects/PKI/Internal CA, click on edit icon on your selfsigned Internal CA.

It will prompt you a password and export a p12 file.

Once you have the p12 file exported, run the following command:

openssl pkcs12 -info -in nameofyourexportedfile.p12 -nodes

 

This command will ask you to type in a password which is the one you typed in FMC at the export step. 

It will show you your certificate and private key. 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
cpaquet
Level 1
Level 1
In response to cpaquet

‎09-02-2020 05:28 PM

Thanks Francesco for the help. However, I dont get the result you are suggesting. 

When I got to FMC > Objects > Objects Management > PKI > Internal CAs and I edit the Self-Signed certificate. contrary to what you wrote, I am not "prompt you a password and export p12. "  When I click edit on the self-signed certificate, it just opens the Self-Signed cert where the only editable field is the Name of the object. All the other fields are none-editable. The only button is DOWNLOAD, which downloads the .p12 in the Download folder of the local computer from which FMC is being accessed.  I have attached the screen capture - no export functionality.

Question: are you sure that the step you are describing with the capabilities to export are available to self-signed certificates? Or wouldn't this functionality be reserved only to identity cert signed by a Trusted Authority?

Regards,

Cath.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to cpaquet

‎09-03-2020 04:20 PM

Here is a self signed certificate that I can export without problem. 

 

image.png

 

image.png

 

image.png

 

I'm sorry to hear you can't do it.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-11-2020 10:29 PM

Hi,

If it you enabled exportable during the certificate generation then from
CLI you can do it as follow

crypto ca export pkcs12

**** please remember to rate useful posts
0 Helpful

Go to solution
cpaquet
Level 1
Level 1
In response to Mohammed al Baqari

‎08-12-2020 12:31 PM

Mohammed, I'm on the PKI > Generate Internal Certificate Authority window, to generate a new Self-signed cert from FMC, but I don't see an option to make that cert / key pair exportable.  I have attached the screen capture.

Preview file
120 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-02-2020 08:44 PM

For self-signed certificates we don't have the option of either making the key exportable when creating them or exporting it later.

If it's a virtual FMC you can backup the entire VM from outside of FMC (e.g a VMware snapshot).

If you want just the key and certificate then don't use self-signed. Generate the key and csr externally using openssl (cli) or XCA (open source Windows GUI-based tool) and save the key and issued certificate from your internal CA using those tools.

0 Helpful

Go to solution
cpaquet
Level 1
Level 1
In response to Marvin Rhoads

‎09-03-2020 03:45 PM

Thank you Marvin for the straight answer.  Much appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card