10-02-2018 05:49 AM - edited 02-21-2020 08:18 AM
Hello together,
I'm using Cisco Firepower Management Center for VMware version 6.2.3.5. Today I tried to renew the HTTPS-Certificate under System -> Configuration -> HTTPS Certificate. I generated a request for our CA and later I tried to import the new certificate. But I got an error:
"Basic constraints are not critical or not defined."
We are using the following certificate chain:
subject= /C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Global Issuing CA
subject= /C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Certification Authority 2
subject= /C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
What can I do to solve this problem? Any idea is welcome.
Thanks to all,
Uwe
Solved! Go to Solution.
10-19-2018 12:20 AM
Hi all,
I opened a TAC Case. The Customer Support Engineer wrote me after analyzing tech-support, that my software is affected by CSCvg28901. The solution was quit simple. I had to exchange the certificate via cli only. The certificate, chainfile and key is located under /etc/ssl (as root). Because I used Firesight itself to generate the CSR and to try to install the certificate, chainfile was already updated and the key keeps the same.
greetings,
Uwe
10-03-2018 12:43 AM
10-03-2018 01:42 AM - edited 10-03-2018 01:45 AM
When I generated my FMC certificate (using my Windows Server 2016 CA) I used a basic web server template. I did install it on FMC 6.2.x (6.2.1 or .2 I don't recall which) at the time. It has the following attributes and worked fine including across all upgrades including the current 6.2.3.5:
Certificate Key Usage:
Critical
Signing
Key Encipherment
...and Extended Key Usage:
Not Critical
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
10-08-2018 04:39 AM
Hi all,
thanks for your reply. My CA-Provider answered me to my question about basic constraints. He wrote me, that our use of basic constraints extensions is conform to RFC5280 recipe 4.2.1.9 (page 38). All our CA-Certificates have basic constraints extension "critical". Only the end-entity certificate has a value "non-critical". So a webserver certificate may have an extension-value "non-critical". Per policy I have to use this CA-authority. All our other webserver certificates are working fine. May be, that Cisco is too strict here? How can I solve this problem? Is there a possibility via cli? About CSCvg28901 I have a fixed software 6.2.3.5. Must I open a TAC-Case?
kindly regards,
Uwe
10-08-2018 10:07 AM
I think TAC would be best equipped to answer since they can look interactively with you at your specific certificate.
10-19-2018 12:20 AM
Hi all,
I opened a TAC Case. The Customer Support Engineer wrote me after analyzing tech-support, that my software is affected by CSCvg28901. The solution was quit simple. I had to exchange the certificate via cli only. The certificate, chainfile and key is located under /etc/ssl (as root). Because I used Firesight itself to generate the CSR and to try to install the certificate, chainfile was already updated and the key keeps the same.
greetings,
Uwe
01-10-2019 07:57 PM - edited 01-10-2019 08:04 PM
@Marvin Rhoads Thanks for the info although I could not find any such detail in the config guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/system_configuration.html?bookSearch=true#id_73638
Seems the "bug" is not a bug but an error in the documentation?
Bug ref: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg28901/?rfs=iqvred
- Regarding your web server template, I have used the same method to generate a ssl cert for my fmcv and it's failing to import because it's missing those fields (I'm struggling to find where to update the template for those fields though ;) ) ps. my template version shows 4.1, I have windows CA server 2012
04-17-2019 02:37 AM
Hi guys
The guide for setting up CA on Windows Server 2012R2 is good, but you need to know, that it's got to be an Enterprise version of Windows Server 2012R2, or you won't be able to use the "New > certificate template to issue" !
I haven't found confirmation, that it can be a Windows Server 2016 Standard, that you have the CA installed on, as there is no Enterprise in 2016, only Standard and Datacenter. Hope someone can clarify that bit.
Regards,
Pierre
01-10-2019 09:49 PM
Steps to create a working ssl certificate with Windows server CA:
to issue the cert for the fmc you need to generate the CSR on the fmc. Then what I do is use powershell via this command:
certreq -submit -attrib "CertificateTemplate:WebServer5year-win2012-basic-c" csr.txt
Now go to the fmc gui and "import https server certificate"
In the box which opens you have 3 fields. If you generate the CSR on the FMC then you will not need to use the private key field. This just leaves the top field "server certificate" (which is where you paste the cert you generated from the CA) and the bottom field which is the "certificate chain". In the cert chain field, you need to include your CA cert and any intermediary CA certs there. In my case I just have one CA and no intermediaries so I just pasted in the CA cert and clicked Save.
After I done the above the cert imported first time without any errors at all. I simply enabled and set the basic constraints field to "critical". Seems like the "bug" here is the cisco docs... if Cisco simply included this "requirement" in their guides it would save a lot of confusion I think.
Hope the above helps someone (else I wasted 30 mins :) )
09-25-2019 07:15 PM
09-02-2022 05:13 AM
Let's blow up a new life to this necro thread with a simple funny solution:
instead of uploading cert + key + chain just try to upload... cert + key only.
01-06-2023 07:04 AM
This works if you create a certificate using a 3rd party.
I ran into this issue as well. Here are the two options I could find. I went with number 1 before learning about number 2.
1. Contact Cisco TAC and have them put in the cert via CLI.
2. Contact the company that issues your certificate and ask if your cert is set to critical or can be.
DigiCert made a change January 25, 2022 to set the Basic Constrains to noncritical.
https://docs.digicert.com/en/certcentral/change-log/change-log--2022.html
Number 2 was also confirmed by my TAC engineer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide