Hi, all.
I'm trying to import HTTPS certificate into FMCv running 6.7 code. I'm getting an 'Error Unable to verify certificate.'
Steps I took with OpenSSL to generate the cert:
- Generated CSR from the FMC
- Get the CSR signed by the Internal CA.
- Tried to import the cert into FMC
This is what the cert looks like:
pi@raspberrypi:~/certs $ openssl x509 -in fmc-01.packet.lan.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1b:5e:9c:47:6b:1a:c1:50:e2:78:2a:39:b6:b6:f0:e8:c9:e4:2b:fa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = London, L = Essex, O = Packetswitch, OU = IT, CN = packetswitch
Validity
Not Before: Jan 26 22:20:23 2021 GMT
Not After : May 1 22:20:23 2023 GMT
Subject: C = GB, CN = fmc-01.packet.lan, O = Packet, OU = IT, L = London, ST = London
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a2:e8:b1:00:74:7b:5f:56:3d:63:88:86:1f:4e:
f0:ac:47:cc:7e:64:05:03:31:0a:bc:d0:d1:e8:b2:
b5:6f:07:02:fa:25:00:ad:4b:ea:0a:08:0c:1e:84:
55:b5:83:df:a6:a2:e6:8b:52:46:e0:2b:a6:9f:d1:
87:7d:6b:06:74:68:f7:87:da:60:a8:9c:9e:25:fd:
13:1f:79:a1:5f:af:31:7e:8d:c6:4f:7c:66:ae:31:
c9:f5:84:ad:df:15:2d:4f:49:50:03:ea:13:1b:65:
24:81:b5:48:1e:6b:59:46:f9:1c:98:17:12:21:cb:
e4:62:a2:07:ac:15:06:04:46:97:e5:3c:6a:3d:55:
f0:33:5b:b2:45:8f:e7:3d:81:60:5f:ce:ae:a5:b6:
02:31:ba:02:c0:8a:3a:c8:b7:c6:dc:6c:d1:ba:3f:
d8:98:28:43:e0:8e:07:56:68:5f:bf:55:f7:af:2c:
60:cf:68:1e:bb:e1:51:c4:0e:a6:8b:10:2b:38:87:
4e:b7:02:9f:e7:86:f9:83:db:84:29:fe:5f:94:70:
56:50:d9:31:aa:e9:4e:ac:9f:5f:c3:b4:03:42:ab:
28:67:f4:cc:b7:d2:28:e6:dd:8f:e1:12:1a:67:d1:
a3:5c:80:b4:c9:0d:9e:1d:f6:f2:cb:77:94:a8:1f:
6b:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:7E:32:E8:AF:7D:AC:29:85:68:64:B4:60:AF:FD:FC:EA:83:CA:38:8E
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
DNS:fmc-01.packet.lan
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
02:55:85:ED:D9:1F:BC:4D:FD:A8:AC:18:0D:E7:8D:A3:8E:24:11:EF
Signature Algorithm: sha256WithRSAEncryption
c7:15:89:6f:fa:c1:eb:f8:63:c0:76:db:3d:67:98:9a:1f:84:
65:94:bd:8e:ce:e8:cf:bd:db:f2:35:fc:4b:ca:fb:16:6b:f3:
0b:34:14:d4:35:a9:8f:22:3b:6c:f5:7e:6e:41:0d:10:4a:a1:
e9:a0:6e:07:20:d4:84:d2:1c:17:01:f7:e5:e1:46:ce:48:e0:
0f:94:7d:ce:3f:a3:05:01:78:76:5b:ed:b7:35:e5:2a:fd:26:
62:5e:78:90:2c:2b:b3:36:95:2a:c0:8a:34:1c:4b:41:49:b3:
e2:44:ee:56:74:d0:17:ef:1e:6a:9b:a1:ec:4f:11:4c:64:78:
c0:e2:f5:be:a2:d9:15:a3:96:5c:61:2a:65:f8:f8:84:b4:d2:
81:38:c8:cb:48:cc:15:82:ae:25:44:b4:ae:e6:d3:be:33:81:
cc:c9:4c:93:8f:2b:1e:90:32:a0:8a:a1:00:ee:d9:a3:4e:2a:
81:a7:fd:d7:38:91:b7:2e:1d:79:9c:7b:6d:3a:a2:9d:69:8c:
52:d8:c8:37:f8:cd:eb:ce:8d:0f:d7:33:81:2b:f3:89:ca:90:
94:86:dd:cf:a5:18:a8:eb:93:65:d6:fc:d7:a8:f9:41:07:56:
ab:7e:5a:ed:ca:13:9a:74:2a:b3:6a:32:86:10:0d:a1:a3:ad:
c9:58:34:5bThis is the OpenSSL config I used.
pi@raspberrypi:~/certs $ cat fmc-01.txt
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
[req]
req_extensions = v3_req
[alt_names]
DNS.1 = fmc-01.packet.lan
Note - If I set the basic constraints to FALSE, I get a different error 'Error Basic constraints are not critical or not defined.'
Thanks
