Re: FMC Audit log Certificate error

AMadjeski · ‎07-27-2023

I generated a CSR from my FMC for an Audit Log Certificate. I sent that to our PKI admin and he generated a certificate.

When I try to import the certificate I get the following error:

Error

Unable to identify certificate purpose

Any guidance is greatly appreciated.

marce1000 · ‎07-27-2023

- Note that for an audit log certificate the FMC Server Certificate must include the clientAuth extended key usage ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AMadjeski · ‎07-27-2023

Thanks for the response. Can you give me a little more detail on that?

Where do I check to see if that is included?

Does that need to be set prior to generating the CSR for the Audit Certificate?

marce1000 · ‎07-27-2023

- Review this article : https://access.redhat.com/solutions/28965 and check your certificate and or generate as needed ,
(look for clientAuth in the document)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎07-27-2023

- (adding) :

To generate a CSR certificate with clientauth with clientauth parameter included, you can use the following OpenSSL command:

openssl req -new -newkey rsa:4096 -nodes -keyout client.key -out client.csr -clientauth

This command will generate a CSR certificate with the clientauth parameter included. The clientauth parameter tells the CA that the certificate will be used for client authentication.

Here is an explanation of the command line arguments:

-new - This tells OpenSSL to generate a new CSR certificate.
-newkey rsa:4096 - This tells OpenSSL to generate a new RSA key with a key size of 4096 bits.
-nodes - This tells OpenSSL to generate a key without a password.
-keyout client.key - This specifies the output file for the private key.
-out client.csr - This specifies the output file for the CSR certificate.
-clientauth - This tells OpenSSL to include the clientauth parameter in the CSR certificate.

Once you have run the command, you will have a CSR certificate with the clientauth parameter included. You can then submit the CSR certificate to a CA to be signed.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AMadjeski · ‎07-27-2023

I am assuming I should do this from expert mode. I am getting a "Unrecognized flag clientauth" error

marce1000 · ‎07-27-2023

- Could be , I haven't tried it myself or generate the certificate
externally and import it ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AMadjeski · ‎07-31-2023

I still have not found a resolution to this. Has anyone else experienced this issue?

daveschw · ‎12-10-2023

I was able to get passed the "Unable to identify certificate purpose" error. I see the new cert info in the browser, but still get a certificate error in the browser, not FMC specifically. Working on that. I believe it's my DNS.

I used an Ubuntu Linux server where I already created a CA to respond to CSRs for my internal lab. You can also use a third part service. My steps are specific to the Linux box.

Here's what I did to get passed the error:

In FMC click on the System settings cog -> Configuration -> HTTPS Certificate -> Generate NEW CSR
Fill in the pop-up form information.
Copy the PEM to a simple text editor.
Paste the PEM into your favorite text editor and then save it. Make sure the name you give it ends with .csr so you know what this file is for when you look at it again in the future.
Create a new extension file called v3.ext in your favorite text editor.

Put this inside the file and save it:

subjectAltName = DNS:fmcname.domain.local
extendedKeyUsage = serverAuth, clientAuth

Run this command in the Linux box to create a CSR response that the FMC will accept. Depending upon which directory you are doing this in, you may need to use sudo.

openssl x509 -req -sha256 -in fmcname.domain.local.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out fmcname.domain.local.cert.pem -days 1000 -extfile v3.ext

Check the purpose of the certificate you just created with this command.
```
openssl x509 -noout -text -purpose -in fmcname.domain.local.cert.pem
```
Look for the Subject Alternative Name and Extended Key Usage in your output to match the v3.ext file contents.
View the new certificate PEM contents and copy to clipboard.
Back in FMC, click "Import HTTPS Server Certificate".
Paste clipboard contents into the "Server Certificate" section.
Click the "Save" button.

You should expect to not receive a "Unable to identify certificate purpose" error and also see the "Current HTTPS Server Certificate" information update.

If you are not getting the same behavior, please post here. If this post helped you, please give it a thumbs up.

Securely,

Dave

Marvin Rhoads · ‎12-10-2023

Basically this stems from the certificate template used by the issuing CA. As noted, tweaking the parameter in the CSR can sometime override this.