cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

11382
Views
20
Helpful
21
Replies
Highlighted
Beginner

Unable to import server certificate to FMC

hi
I'm trying to import server certifacate issued by our corporate CA to FMC, but i always get error "Unable to verify certificate."

In /var/log/httpd/httpsd_error_log i see errors:

[Thu Nov 09 08:59:37.040550 2017] [cgi:error] [pid 27221] [client 10.12.91.238:33111] AH01215: No such file or directory:/etc/sf/crl.conf at /usr/local/sf/lib/perl/5.10.1/SF/X509Certificates.pm line 919.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://fmc.isd.lamoda.tech/admin/https_cert.cgi
[Thu Nov 09 08:59:37.040652 2017] [cgi:error] [pid 27221] [client 10.12.91.238:33111] AH01215: (Unable to verify certificate.) in /usr/local/sf/htdocs/admin/https_cert.cgi:163 at /usr/local/sf/lib/perl/5.10.1/SF.pm line 120.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://fmc.isd.lamoda.tech/admin/https_cert.cgi

I checked directory /etc/sf/ and there is no crl.conf in it.

What might be a reason?

21 REPLIES 21
Highlighted
Rising star

Which version is the FMC running ?

You might be hitting the bug CSCvf42713

 

Highlighted

Perhaps... buy it has fixed status in 6.2.2.1 version
and i upgrade my fmc to 6.2.2.1 and this problem still exists

Highlighted

I currently have a tac open on this myself. I too am at 6.2.2.1-73

Highlighted

I'm running 6.2.2.1 and I am getting this error as well.

Highlighted

Hello David,



6.2.2.1 is still affected by the bug. You will need to import the certificate using the CLI.


Highlighted

Thanks. I do have a ticket open with TAC but still waiting for assistance. I'm running the Threat Defense image. Is it safe to use the cli for this operation?

Highlighted

Hello David,



Yes it is safe to perform on the CLI. I have performed on multiple customer environments without any issues.



But, if one were to arise, the certificate itself can be regenerated or set to the default and then start over.


Highlighted

The openssl method from the cli works. Now we are encountering an issue in that modern browsers are ignoring the common name in  the cert and instead are using the subject alternative name. By default the Microsoft CA server doesn't issue certs with the san attribute set do we are trying to figure out how to accomplish this.

Highlighted

if you need san in your cert just add it to the Attributes field when requesting the cert from Microsoft CA.

san:dns=FQN

this will add the subject alternative name

 

As for the cert problem all's i did was create my own key and csr using openssl got a new cert, logged into the FMC sudo to root and replaced the server.key and server.crt in the /etc/ssl directory and then restarted, this fixed the problem for me.

 

Highlighted

Thanks for the tip.  I was able add the new cert by using this and copying the new cert over the server.crt file.

Highlighted
Beginner

Cisco bug CSCvg28901 matches this:

Symptom:
Certificate with Basic Constraints extension not critical will not be imported on FMC or sensor with error:
Unable to install certificate

 

I modified the extensions in my "server_cert" block, and changed to look like this:

#basicConstraints = CA:FALSE

basicConstraints = critical, CA:FALSE

 

I again signed the certificate, and this time was able to import it.

 

This link provides a good explanation as to why this is needed, but it seems to be related to signing with an intermediate CA.

Highlighted

How do you make basic constraints critical? Could you please explain a bit. 

Highlighted

It all depends what do you use for issuing certificates. You can open your certificate in XCA, it's a free tool which allows you to work on certificates and see all the properties in graphical form.

 

When you import your certificate there, you can see if Basic Constraints critical or not (here, the attribute is present):

 

Screen Shot 2017-12-07 at 10.36.26.png

 

 

You can also right-click, then go Transform>Similar Certificate>Extensions and under Basic Constraints at the top, you will see Critical button:

 

Screen Shot 2017-12-07 at 10.34.52.png

 

This must be selected on the CA for the certificates you want to issue.

 

Regards,

Radek

Highlighted

I'm using OpenSSL for this. In OpenSSL, I have a config file:

 

/root/ca/intermediate/openssl.cnf

 

This file has the following extension block, in which I find basicConstraints:

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
#basicConstraints = CA:FALSE
basicConstraints = critical, CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = <REMOVED>
authorityInfoAccess = OCSP;URI:<REMOVED>

 

I prepended "critical," and save the file.

 

When signing the CSR with OpenSSL, I used this command:

openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/fmc.mydomain.net.csr.pem -out intermediate/certs/fmc.mydomain.net.cert.pem

 

I was then able to import the certificate.

 

Content for Community-Ad