Firepower: Unabble to add a wildcard certificate to a HA-cluster

swscco001 · ‎02-24-2025

Hello everybody,

our customer has a HA-cluster of two Firepower 2130 running rel. 7.2.5.

The FMC is running rel. 7.4.2.1.

The wildcard certificate will expire at March 8th. I got the new wildcard
certificate for the customer domain.

I could enroll the file (.pfx) with the given keyword without problems.
(see attached screen dump).

When I try to add it to the HA-cluster it is proccessing and then I get
an error message "Failed" (see attached screen Dump). When I move the
mouse onto the red bubble I get the following:

ERROR: Import PKCS12 operation failed

I don't get any further information about possible reasons.

Nothing useful found in the WWW.

What could the reason be for this behaviour?

Every hint is welcome.

Thanks a lot!

Bye
R.

Rob Ingram · ‎02-24-2025

@swscco001 is the file actually valid? can you open it in windows or openssl without problems?

tahscolony · ‎02-25-2025

You will need to take the original PFX and break it apart with openssl and reassemble into a new PFX that contains the CA chain certificate.

openssl pkcs12 -in <id_cert.pfx> -nocerts -out privateKey.key
 enter import passphrase

 create key passphrase

openssl pkcs12 -in <id_cert.pfx> -nokeys -out id_cert.crt

 enter import passphrase

openssl pkcs12 -export -out newID_CERT.pfx -inkey privateKey.key -in id_cert.crt -certfile issuer_CA_chain.crt -name <subject:commonName> -passout pass:newPassphrase

 enter key passphrase created in step 1

The FMC is looking for the intermediate and thats why it fails. Just went through this myself on an HA pair running on a 3120 instance.