cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

349
Views
0
Helpful
4
Replies
vsurresh
Beginner

FMCv 6.7 HTTPS certificate

Hi, all.

I'm trying to import HTTPS certificate into FMCv running 6.7 code. I'm getting an 'Error Unable to verify certificate.'

Steps I took with OpenSSL to generate the cert:

  • Generated CSR from the FMC
  • Get the CSR signed by the Internal CA.
  • Tried to import the cert into FMC

This is what the cert looks like:

 

pi@raspberrypi:~/certs $ openssl x509 -in fmc-01.packet.lan.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1b:5e:9c:47:6b:1a:c1:50:e2:78:2a:39:b6:b6:f0:e8:c9:e4:2b:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = London, L = Essex, O = Packetswitch, OU = IT, CN = packetswitch
        Validity
            Not Before: Jan 26 22:20:23 2021 GMT
            Not After : May  1 22:20:23 2023 GMT
        Subject: C = GB, CN = fmc-01.packet.lan, O = Packet, OU = IT, L = London, ST = London
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a2:e8:b1:00:74:7b:5f:56:3d:63:88:86:1f:4e:
                    f0:ac:47:cc:7e:64:05:03:31:0a:bc:d0:d1:e8:b2:
                    b5:6f:07:02:fa:25:00:ad:4b:ea:0a:08:0c:1e:84:
                    55:b5:83:df:a6:a2:e6:8b:52:46:e0:2b:a6:9f:d1:
                    87:7d:6b:06:74:68:f7:87:da:60:a8:9c:9e:25:fd:
                    13:1f:79:a1:5f:af:31:7e:8d:c6:4f:7c:66:ae:31:
                    c9:f5:84:ad:df:15:2d:4f:49:50:03:ea:13:1b:65:
                    24:81:b5:48:1e:6b:59:46:f9:1c:98:17:12:21:cb:
                    e4:62:a2:07:ac:15:06:04:46:97:e5:3c:6a:3d:55:
                    f0:33:5b:b2:45:8f:e7:3d:81:60:5f:ce:ae:a5:b6:
                    02:31:ba:02:c0:8a:3a:c8:b7:c6:dc:6c:d1:ba:3f:
                    d8:98:28:43:e0:8e:07:56:68:5f:bf:55:f7:af:2c:
                    60:cf:68:1e:bb:e1:51:c4:0e:a6:8b:10:2b:38:87:
                    4e:b7:02:9f:e7:86:f9:83:db:84:29:fe:5f:94:70:
                    56:50:d9:31:aa:e9:4e:ac:9f:5f:c3:b4:03:42:ab:
                    28:67:f4:cc:b7:d2:28:e6:dd:8f:e1:12:1a:67:d1:
                    a3:5c:80:b4:c9:0d:9e:1d:f6:f2:cb:77:94:a8:1f:
                    6b:37
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:7E:32:E8:AF:7D:AC:29:85:68:64:B4:60:AF:FD:FC:EA:83:CA:38:8E

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:fmc-01.packet.lan
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                02:55:85:ED:D9:1F:BC:4D:FD:A8:AC:18:0D:E7:8D:A3:8E:24:11:EF
    Signature Algorithm: sha256WithRSAEncryption
         c7:15:89:6f:fa:c1:eb:f8:63:c0:76:db:3d:67:98:9a:1f:84:
         65:94:bd:8e:ce:e8:cf:bd:db:f2:35:fc:4b:ca:fb:16:6b:f3:
         0b:34:14:d4:35:a9:8f:22:3b:6c:f5:7e:6e:41:0d:10:4a:a1:
         e9:a0:6e:07:20:d4:84:d2:1c:17:01:f7:e5:e1:46:ce:48:e0:
         0f:94:7d:ce:3f:a3:05:01:78:76:5b:ed:b7:35:e5:2a:fd:26:
         62:5e:78:90:2c:2b:b3:36:95:2a:c0:8a:34:1c:4b:41:49:b3:
         e2:44:ee:56:74:d0:17:ef:1e:6a:9b:a1:ec:4f:11:4c:64:78:
         c0:e2:f5:be:a2:d9:15:a3:96:5c:61:2a:65:f8:f8:84:b4:d2:
         81:38:c8:cb:48:cc:15:82:ae:25:44:b4:ae:e6:d3:be:33:81:
         cc:c9:4c:93:8f:2b:1e:90:32:a0:8a:a1:00:ee:d9:a3:4e:2a:
         81:a7:fd:d7:38:91:b7:2e:1d:79:9c:7b:6d:3a:a2:9d:69:8c:
         52:d8:c8:37:f8:cd:eb:ce:8d:0f:d7:33:81:2b:f3:89:ca:90:
         94:86:dd:cf:a5:18:a8:eb:93:65:d6:fc:d7:a8:f9:41:07:56:
         ab:7e:5a:ed:ca:13:9a:74:2a:b3:6a:32:86:10:0d:a1:a3:ad:
         c9:58:34:5b

This is the OpenSSL config I used. 

 

 

pi@raspberrypi:~/certs $ cat fmc-01.txt 
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash

[req]
req_extensions = v3_req

[alt_names]
DNS.1 = fmc-01.packet.lan

Note - If I set the basic constraints to FALSE, I get a different error 'Error Basic constraints are not critical or not defined.'

 

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
vsurresh
Beginner

I managed to fix it by setting the basic constraints field. Thanks, everyone. 

pi@raspberrypi:~/certs $ cat fmc-01.txt 
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash

[req]
req_extensions = v3_req

[alt_names]
DNS.1 = fmc-01.packet.lan

View solution in original post

4 REPLIES 4
Mohammed al Baqari
VIP Advisor

Hi,

When you sign the certificate, try to export it from CA using password
protection then import to FMC with option encrypted check and enter the
password.

**** please remember to rate useful posts
Marvin Rhoads
Hall of Fame Guru

Are you importing the certificate and private key combined? Your FMC will need both in order to present the certificate as its own.

Hi, Marvin.

I created the CSR on the FMC and get it signed by the internal CA. I believe the private key stays with FMC and we won't have access via the GUI. 

 

vsurresh
Beginner

I managed to fix it by setting the basic constraints field. Thanks, everyone. 

pi@raspberrypi:~/certs $ cat fmc-01.txt 
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash

[req]
req_extensions = v3_req

[alt_names]
DNS.1 = fmc-01.packet.lan

View solution in original post

Content for Community-Ad