01-27-2021 03:47 AM
Hi, all.
I'm trying to import HTTPS certificate into FMCv running 6.7 code. I'm getting an 'Error Unable to verify certificate.'
Steps I took with OpenSSL to generate the cert:
This is what the cert looks like:
pi@raspberrypi:~/certs $ openssl x509 -in fmc-01.packet.lan.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1b:5e:9c:47:6b:1a:c1:50:e2:78:2a:39:b6:b6:f0:e8:c9:e4:2b:fa Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = London, L = Essex, O = Packetswitch, OU = IT, CN = packetswitch Validity Not Before: Jan 26 22:20:23 2021 GMT Not After : May 1 22:20:23 2023 GMT Subject: C = GB, CN = fmc-01.packet.lan, O = Packet, OU = IT, L = London, ST = London Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a2:e8:b1:00:74:7b:5f:56:3d:63:88:86:1f:4e: f0:ac:47:cc:7e:64:05:03:31:0a:bc:d0:d1:e8:b2: b5:6f:07:02:fa:25:00:ad:4b:ea:0a:08:0c:1e:84: 55:b5:83:df:a6:a2:e6:8b:52:46:e0:2b:a6:9f:d1: 87:7d:6b:06:74:68:f7:87:da:60:a8:9c:9e:25:fd: 13:1f:79:a1:5f:af:31:7e:8d:c6:4f:7c:66:ae:31: c9:f5:84:ad:df:15:2d:4f:49:50:03:ea:13:1b:65: 24:81:b5:48:1e:6b:59:46:f9:1c:98:17:12:21:cb: e4:62:a2:07:ac:15:06:04:46:97:e5:3c:6a:3d:55: f0:33:5b:b2:45:8f:e7:3d:81:60:5f:ce:ae:a5:b6: 02:31:ba:02:c0:8a:3a:c8:b7:c6:dc:6c:d1:ba:3f: d8:98:28:43:e0:8e:07:56:68:5f:bf:55:f7:af:2c: 60:cf:68:1e:bb:e1:51:c4:0e:a6:8b:10:2b:38:87: 4e:b7:02:9f:e7:86:f9:83:db:84:29:fe:5f:94:70: 56:50:d9:31:aa:e9:4e:ac:9f:5f:c3:b4:03:42:ab: 28:67:f4:cc:b7:d2:28:e6:dd:8f:e1:12:1a:67:d1: a3:5c:80:b4:c9:0d:9e:1d:f6:f2:cb:77:94:a8:1f: 6b:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:7E:32:E8:AF:7D:AC:29:85:68:64:B4:60:AF:FD:FC:EA:83:CA:38:8E X509v3 Basic Constraints: CA:TRUE X509v3 Subject Alternative Name: DNS:fmc-01.packet.lan X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: 02:55:85:ED:D9:1F:BC:4D:FD:A8:AC:18:0D:E7:8D:A3:8E:24:11:EF Signature Algorithm: sha256WithRSAEncryption c7:15:89:6f:fa:c1:eb:f8:63:c0:76:db:3d:67:98:9a:1f:84: 65:94:bd:8e:ce:e8:cf:bd:db:f2:35:fc:4b:ca:fb:16:6b:f3: 0b:34:14:d4:35:a9:8f:22:3b:6c:f5:7e:6e:41:0d:10:4a:a1: e9:a0:6e:07:20:d4:84:d2:1c:17:01:f7:e5:e1:46:ce:48:e0: 0f:94:7d:ce:3f:a3:05:01:78:76:5b:ed:b7:35:e5:2a:fd:26: 62:5e:78:90:2c:2b:b3:36:95:2a:c0:8a:34:1c:4b:41:49:b3: e2:44:ee:56:74:d0:17:ef:1e:6a:9b:a1:ec:4f:11:4c:64:78: c0:e2:f5:be:a2:d9:15:a3:96:5c:61:2a:65:f8:f8:84:b4:d2: 81:38:c8:cb:48:cc:15:82:ae:25:44:b4:ae:e6:d3:be:33:81: cc:c9:4c:93:8f:2b:1e:90:32:a0:8a:a1:00:ee:d9:a3:4e:2a: 81:a7:fd:d7:38:91:b7:2e:1d:79:9c:7b:6d:3a:a2:9d:69:8c: 52:d8:c8:37:f8:cd:eb:ce:8d:0f:d7:33:81:2b:f3:89:ca:90: 94:86:dd:cf:a5:18:a8:eb:93:65:d6:fc:d7:a8:f9:41:07:56: ab:7e:5a:ed:ca:13:9a:74:2a:b3:6a:32:86:10:0d:a1:a3:ad: c9:58:34:5b
This is the OpenSSL config I used.
pi@raspberrypi:~/certs $ cat fmc-01.txt [ v3_req ] authorityKeyIdentifier=keyid,issuer basicConstraints=CA:TRUE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names keyUsage = digitalSignature, nonRepudiation, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier = hash [req] req_extensions = v3_req [alt_names] DNS.1 = fmc-01.packet.lan
Note - If I set the basic constraints to FALSE, I get a different error 'Error Basic constraints are not critical or not defined.'
Thanks
Solved! Go to Solution.
01-27-2021 07:13 AM
I managed to fix it by setting the basic constraints field. Thanks, everyone.
pi@raspberrypi:~/certs $ cat fmc-01.txt [ v3_req ] authorityKeyIdentifier=keyid,issuer basicConstraints=critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names keyUsage = digitalSignature, nonRepudiation, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier = hash [req] req_extensions = v3_req [alt_names] DNS.1 = fmc-01.packet.lan
01-27-2021 04:25 AM
01-27-2021 04:35 AM
Are you importing the certificate and private key combined? Your FMC will need both in order to present the certificate as its own.
01-27-2021 04:39 AM
Hi, Marvin.
I created the CSR on the FMC and get it signed by the internal CA. I believe the private key stays with FMC and we won't have access via the GUI.
01-27-2021 07:13 AM
I managed to fix it by setting the basic constraints field. Thanks, everyone.
pi@raspberrypi:~/certs $ cat fmc-01.txt [ v3_req ] authorityKeyIdentifier=keyid,issuer basicConstraints=critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names keyUsage = digitalSignature, nonRepudiation, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier = hash [req] req_extensions = v3_req [alt_names] DNS.1 = fmc-01.packet.lan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide