Solved: Re: unable to import a new HTTPS-certificate in Firepower Management Center

u.drechsel · ‎10-02-2018

Hello together,

I'm using Cisco Firepower Management Center for VMware version 6.2.3.5. Today I tried to renew the HTTPS-Certificate under System -> Configuration -> HTTPS Certificate. I generated a request for our CA and later I tried to import the new certificate. But I got an error:

"Basic constraints are not critical or not defined."

We are using the following certificate chain:

subject= /C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Global Issuing CA

subject= /C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Certification Authority 2

subject= /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2

What can I do to solve this problem? Any idea is welcome.

Thanks to all,

Uwe

u.drechsel · ‎10-19-2018

Hi all,

I opened a TAC Case. The Customer Support Engineer wrote me after analyzing tech-support, that my software is affected by CSCvg28901. The solution was quit simple. I had to exchange the certificate via cli only. The certificate, chainfile and key is located under /etc/ssl (as root). Because I used Firesight itself to generate the CSR and to try to install the certificate, chainfile was already updated and the key keeps the same.

greetings,

Uwe

View solution in original post

mikael.lahtela · ‎10-03-2018

Hi,

There was a bug in pre 6.2.3.4, maybe you should contact Cisco TAC.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg28901

br, Micke

Marvin Rhoads · ‎10-03-2018

When I generated my FMC certificate (using my Windows Server 2016 CA) I used a basic web server template. I did install it on FMC 6.2.x (6.2.1 or .2 I don't recall which) at the time. It has the following attributes and worked fine including across all upgrades including the current 6.2.3.5:

Certificate Key Usage:

Critical
Signing
Key Encipherment

...and Extended Key Usage:

Not Critical
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)

u.drechsel · ‎10-08-2018

Hi all,

thanks for your reply. My CA-Provider answered me to my question about basic constraints. He wrote me, that our use of basic constraints extensions is conform to RFC5280 recipe 4.2.1.9 (page 38). All our CA-Certificates have basic constraints extension "critical". Only the end-entity certificate has a value "non-critical". So a webserver certificate may have an extension-value "non-critical". Per policy I have to use this CA-authority. All our other webserver certificates are working fine. May be, that Cisco is too strict here? How can I solve this problem? Is there a possibility via cli? About CSCvg28901 I have a fixed software 6.2.3.5. Must I open a TAC-Case?

kindly regards,

Uwe

Marvin Rhoads · ‎10-08-2018

I think TAC would be best equipped to answer since they can look interactively with you at your specific certificate.

u.drechsel · ‎10-19-2018

Hi all,

I opened a TAC Case. The Customer Support Engineer wrote me after analyzing tech-support, that my software is affected by CSCvg28901. The solution was quit simple. I had to exchange the certificate via cli only. The certificate, chainfile and key is located under /etc/ssl (as root). Because I used Firesight itself to generate the CSR and to try to install the certificate, chainfile was already updated and the key keeps the same.

greetings,

Uwe

infrateam · ‎01-10-2019

@Marvin Rhoads Thanks for the info although I could not find any such detail in the config guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/system_configuration.html?bookSearch=true#id_73638

Seems the "bug" is not a bug but an error in the documentation?

Bug ref: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg28901/?rfs=iqvred

- Regarding your web server template, I have used the same method to generate a ssl cert for my fmcv and it's failing to import because it's missing those fields (I'm struggling to find where to update the template for those fields though ;) ) ps. my template version shows 4.1, I have windows CA server 2012

fgitafdusr · ‎04-17-2019

Hi guys

The guide for setting up CA on Windows Server 2012R2 is good, but you need to know, that it's got to be an Enterprise version of Windows Server 2012R2, or you won't be able to use the "New > certificate template to issue" !

I haven't found confirmation, that it can be a Windows Server 2016 Standard, that you have the CA installed on, as there is no Enterprise in 2016, only Standard and Datacenter. Hope someone can clarify that bit.

Regards,
Pierre

infrateam · ‎01-10-2019

Steps to create a working ssl certificate with Windows server CA:

go to your windows CA and go to "manage" your cert templates so you can create a new template. In my case, I had a web server template so I "duplicated" that template.
Now you need to change compatibility. Mine was initially set for windows 2003 even though my server is 2012. I set mine for windows server 2012 R2 for server and for client I set the same
Now in the "extensions" tab, select the "basic constraints" field and click edit
in the box which opens, select the 2 options "enable this extension" and "make this extension critical"
save the template
Now back at the CA (certsrv) right click certificate templates and select "new > certificate template to issue" and choose your newly created template. This makes the template available to issue certs in my understanding
now issue the cert for FMC

to issue the cert for the fmc you need to generate the CSR on the fmc. Then what I do is use powershell via this command:

certreq -submit -attrib "CertificateTemplate:WebServer5year-win2012-basic-c" csr.txt

Now go to the fmc gui and "import https server certificate"

In the box which opens you have 3 fields. If you generate the CSR on the FMC then you will not need to use the private key field. This just leaves the top field "server certificate" (which is where you paste the cert you generated from the CA) and the bottom field which is the "certificate chain". In the cert chain field, you need to include your CA cert and any intermediary CA certs there. In my case I just have one CA and no intermediaries so I just pasted in the CA cert and clicked Save.

After I done the above the cert imported first time without any errors at all. I simply enabled and set the basic constraints field to "critical". Seems like the "bug" here is the cisco docs... if Cisco simply included this "requirement" in their guides it would save a lot of confusion I think.

Hope the above helps someone (else I wasted 30 mins :) )

nloverin · ‎09-25-2019

I think your #3-4 was spot on. I added those "basic" fields and the entire CSR/Signed Cert from the GUI worked flawlessly. Thanks!

cgn_ops_noc · ‎09-02-2022

Let's blow up a new life to this necro thread with a simple funny solution:

instead of uploading cert + key + chain just try to upload... cert + key only.

justanotherguy · ‎01-06-2023

This works if you create a certificate using a 3rd party.

I ran into this issue as well. Here are the two options I could find. I went with number 1 before learning about number 2.

1. Contact Cisco TAC and have them put in the cert via CLI.

2. Contact the company that issues your certificate and ask if your cert is set to critical or can be.

DigiCert made a change January 25, 2022 to set the Basic Constrains to noncritical.

https://docs.digicert.com/en/certcentral/change-log/change-log--2022.html

Number 2 was also confirmed by my TAC engineer.