Packetswitch
/
Sign up to Packetswitch!
Already have an account? Sign in
Cisco

Cisco FMC HTTPS certificate with OpenSSL

Suresh Vina
2 min read
In: Cisco

Problem

You want to install HTTPS certificate for the Cisco FirePower Management Centre (FMC)

Solution

I already have an Internal CA certificate created with OpenSSL. You only need two commands to create one for you. 

#Generate private key

openssl genrsa -des3 -out internalCA.key 2048

#Generate root certificate.You need to create a passpharse for the certificaate and answer the questions.

openssl req -x509 -new -nodes -key internalCA.key -sha256 -days 365 -out internalCA.pem

#Now you should have two files called internalCA.key and internalCA.pem. We need both files to sign the HTTPS certificate.

Generate CSR from the FMC

Go to Settings > Configuration > HTTPS Certificate > Generate new CSR and fill up the information.

CSR

Copy the CSR and save it to a file fmc.csr

Now, go back to OpenSSL and sign the certificate with the Root CA we generated in the previous step.

You also need an OpenSSL config file which is needed to define the specific fields required by the FMC. 

pi@raspberrypi:~/certs $ cat fmc-01.txt 
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash

[req]
req_extensions = v3_req

[alt_names]
DNS.1 = fmc-01.packet.lan
When you import a server certificate to the FMC, the system rejects the certificate if it does not comply with version 3 (X.509 v3) of that standard.

You can find the FMC HTTPS certificate requirements here: Firepower Management Center Configuration Guide, Version 6.1 - System Configuration [Cisco Firepower Management Center] - Cisco

Let's generate the certificate and import it into FMC.

openssl x509 -req -in fmc-01.csr -CA internalCA.pem -CAkey internalCA.key -CAcreateserial -out fmc-01.crt -days 365 -sha256 -extfile fmc-01.txt -extensions v3_req

Copy the contents of fmc-01.crt and paste it into FMC

Import HTTPS Certificate

Thanks for reading.

As always, your feedback and comments are more than welcome.

Written by
Suresh Vina

Suresh Vina

Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
View all posts
Comments
More from Packetswitch
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.