Dave van roy,

Can you share any more info on your workaround like the case number.  I have a case open with TAC on the same issue any my engineer is telling there is no work around other than manually uploading updates when I want them. 

Jeckert,

I opened a TAC yesterday and received the scripts and certificates needed to correct this issue. Be persistent, make sure they know you are on a 5506 and cannot upgrade to 6.4, reference this thread and bug CSCvm81052. PM me if you still need a TAC case number to reference. 

After spending 4 hours tracing the Perl scripts in /usr/local/sf/lib/perl/5.10.1/SF

I finally found the solution to this problem.

You need to have DigiCert Global Root CA and Thawte RSA CA 2018, in the /etc/sf/keys/fireamp/thawte_roots

Step 1: Go into expert mode to gain shell access.

Step 2: Use "sudo su" to switch to "root".

Step 3: Navigate to this path "/etc/sf/keys/fireamp/thawte_roots", and use "touch" to create 2 files named "thawte_RSA_CA_2018.pem" and "DigiCert_Global_Root_CA.pem"

Step 4: Use "chown" to change ownership of those files to the same as the rest of the file in that folder.

Step 5: Use "chgrp" to change group of those files to "floppy".

Step 6: Use "vi" to modify each file (and use ":wq" to save the changes) and paste the contents of the root CA you download from https://www.digicert.com/kb/digicert-root-certificates.htm

Step 7: Generate openssl hash value for those files using "openssl x509 -hash -noout -in <your pem filename here>"

Step 8: Make note of the hash values because you need to create symbolic link use "ln -s" command to point to those two PEM files. The symbolic file name should be hash value plus ".0". For example: "3513523f.0" points to "DigiCert_Global_Root_CA.pem"

Step 9: Just reload the device and it should update as usual.

This solution worked perfectly for an FMCv 6.2.3 which had the same issues. I did not have to reload the fmc.

Adding the certificates on the fmc also solved a problem I had with a 5508 with firepower services that did not want to update the policy.

Had a similar issue when downloading updates via FMC v 7.0.1
My setup has my FMC behind a proxy.

solution provided by TAC was as follows:

ssh into FMC, go into "expert" mode and enter administrative mode with "sudo su"
backup the current root bundle with "mv /etc/sf/keys/fireamp/thawte_roots /etc/sf/keys/fireamp/thawte_roots_bk"

v7.0.1 seems to already come with an updated CA root bundle which is located at "/etc/ssl/certs/"
To cause the updated CA root bundle to be used for subsequent downloads, issue the command "ln -s /etc/ssl/certs/ /etc/sf/keys/fireamp/thawte_roots"

Enter the command "ls -l /etc/sf/keys/fireamp/thawte_roots" to verify the current root bundle used for downloads.  The output should point to /etc/ssl/certs/

After following these steps, I was able to download updates from FMC without errors.