You want to install HTTPS certificate for the Cisco FirePower Management Centre (FMC)


I already have an Internal CA certificate created with OpenSSL. You only need two commands to create one for you.

#Generate private key

openssl genrsa -des3 -out internalCA.key 2048

#Generate root certificate.You need to create a passpharse for the certificaate and answer the questions.

openssl req -x509 -new -nodes -key InternalCA.key -sha256 -days 365 -out internalCA.pem

#Now you should have two files called internalCA.key and internalCA.pem. We need both files to sign the HTTPS certificate.

Generate CSR from the FMC

Go to Settings > Configuration > HTTPS Certificate > Generate new CSR and fill up the information.


Copy the CSR and save it to a file fmc.csr

Now, go back to OpenSSL and sign the certificate with the Root CA we generated in the previous step.

You also need an OpenSSL config file which is needed to define the specific fields required by the FMC.

pi@raspberrypi:~/certs $ cat fmc-01.txt 
[ v3_req ]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash

req_extensions = v3_req

DNS.1 = fmc-01.packet.lan
When you import a server certificate to the FMC, the system rejects the certificate if it does not comply with version 3 (X.509 v3) of that standard.

You can find the FMC HTTPS certificate requirements here: Firepower Management Center Configuration Guide, Version 6.1 - System Configuration [Cisco Firepower Management Center] - Cisco

Let's generate the certificate and import into FMC.

openssl x509 -req -in fmc-01.csr -CA internalCA.pem -CAkey internalCA.key -CAcreateserial -out fmc-01.crt -days 365 -sha256 -extfile fmc-01.txt -extensions v3_req

Copy the contents of fmc-01.crt and paste it into FMC

Import HTTPS Certificate

Thanks for reading.

As always, your feedback and comments are more than welcome.