Perhaps... buy it has fixed status in 6.2.2.1 version
and i upgrade my fmc to 6.2.2.1 and this problem still exists

I currently have a tac open on this myself. I too am at 6.2.2.1-73

I'm running 6.2.2.1 and I am getting this error as well.

Thanks. I do have a ticket open with TAC but still waiting for assistance. I'm running the Threat Defense image. Is it safe to use the cli for this operation?

The openssl method from the cli works. Now we are encountering an issue in that modern browsers are ignoring the common name in  the cert and instead are using the subject alternative name. By default the Microsoft CA server doesn't issue certs with the san attribute set do we are trying to figure out how to accomplish this.

if you need san in your cert just add it to the Attributes field when requesting the cert from Microsoft CA.

san:dns=FQN

this will add the subject alternative name

As for the cert problem all's i did was create my own key and csr using openssl got a new cert, logged into the FMC sudo to root and replaced the server.key and server.crt in the /etc/ssl directory and then restarted, this fixed the problem for me.

Thanks for the tip.  I was able add the new cert by using this and copying the new cert over the server.crt file.

How do you make basic constraints critical? Could you please explain a bit. 

It all depends what do you use for issuing certificates. You can open your certificate in XCA, it's a free tool which allows you to work on certificates and see all the properties in graphical form.

When you import your certificate there, you can see if Basic Constraints critical or not (here, the attribute is present):

You can also right-click, then go Transform>Similar Certificate>Extensions and under Basic Constraints at the top, you will see Critical button:

This must be selected on the CA for the certificates you want to issue.

Regards,

Radek

I'm using OpenSSL for this. In OpenSSL, I have a config file:

/root/ca/intermediate/openssl.cnf

This file has the following extension block, in which I find basicConstraints:

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
#basicConstraints = CA:FALSE
basicConstraints = critical, CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = <REMOVED>
authorityInfoAccess = OCSP;URI:<REMOVED>

I prepended "critical," and save the file.

When signing the CSR with OpenSSL, I used this command:

openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/fmc.mydomain.net.csr.pem -out intermediate/certs/fmc.mydomain.net.cert.pem

I was then able to import the certificate.