cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3986
Views
5
Helpful
15
Replies

Trusted third-party Certificate Authority for Firepower 1120

dposmondsr7367
Level 1
Level 1

I need a 3rd party CA for my new Firepower 1120.  The scan stated "Please install a server certificate signed by a trusted third-party Certificate Authority" and "Please install a server certificate with recommended maximum validity".    I am following the steps found in Certificate Installation and Renewal on FTD managed by FDM - Cisco  Any suggestions of source for this cert?

1 Accepted Solution

Accepted Solutions

Hi @dposmondsr7367 

Verisign, Comodo, GoDaddy etc would be an example of a Trusted Root Certificate Authority (CA). You'd create the CSR on the FTD and then send to the CA to get the signed certificate. When you get the certificate signed you select how long you want the certificate valid for.

 

HTH

View solution in original post

15 Replies 15

Hi @dposmondsr7367 

Verisign, Comodo, GoDaddy etc would be an example of a Trusted Root Certificate Authority (CA). You'd create the CSR on the FTD and then send to the CA to get the signed certificate. When you get the certificate signed you select how long you want the certificate valid for.

 

HTH

There are many options when going to any of these sites to get the certificate.  I only need this for the 1120 itself as I am not hosting any sites.  Do need a simple SSL or something as extensive as a wildcard?  Thanks

I see no reason why you'd need a wildcard certificate.

What are you actually using the certificate for?

If you require the certificate for just management purposes, most organisation rely on the default self-signed certificate. You would already be using this, so there would be nothing you need to do.

If you were hosting a Remote Access VPN then most organisations would get a certificate signed by a public CA, instead of using a self-signed certificate.

 

I am being told I need a 3rd party cert after a PCI scan.  The reason for the PCI scan is my SwipeSimple which uses my cell phone "could" access the internet via the network if data from my cell phone uses WiFi instead of cell data.  I am trying to eliminate the fails on this PCI scan.  No servers involved, they just want more than self-signed.  I have attached the scan report.  Thanks

You just need a simple SSL, set the common name as the IP address and/or define an FQDN thats registered on the internet, no need for a wildcard certificate (unless you want to). Select any of the well known providers mentioned previously.

 

Your report also mentions disabling TLS 1.0 and 1.1, you can do this using FDM GUI from version 7.0.

Thanks.  Downloaded 7 and will install this evening after hours.  Will get SSL for the IP.  

I purchased a 2 Year Standard SSL Certificate from GoDaddy.  How do I create the CSR for the Firepower 1120 so I can send to GoDaddy and get the cert?  There is not a domain for this and I only have my static IP for the 1120.

 

I have 7.0 installed now.  Can you send me link to steps to disable TLS 1.0 and 1.1?  

Do you know of any CA SSL Cert provider that does not require a FQDN?  I have tried a couple and they all what a valid domain name.  I only need this cert for the Firepower 1120.  

Rob, I cannot find the steps to create a CSR on the 1120.  Can you confirm the steps?

I downloaded openssl and used 

OpenSSL> rsa -in OsmondFPR1120.key -check which created a .key which I was able to use 

OpenSSL> rsa -in OsmondFPR1120.key -check and it displayed the RSA Private Key. 

I cannot create the CSR.  I used 

OpenSSL> req -new -key OsmondFPR1120.key -out OsmondFPR1120.csr
Can't open C:/OpenSSL/SSL/openssl.cnf for reading, No such file or directory
17100:error:02001003:system library:fopen:No such process:crypto/bio/bss_file.c:69:fopen('C:/OpenSSL/SSL/openssl.cnf','r')
17100:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
error in req
OpenSSL>

Any suggestions on the CSR step?

I figured out how to create the CSR

Found this Example: Blocking Older SSL/TLS Versions from the Network in the help section and blocked the older TLS.  Thanks

dposmondsr7367
Level 1
Level 1
Review Cisco Networking for a $25 gift card