Cisco FMC HTTPS Certificate with OpenSSL
Problem
You want to install HTTPS certificate for the Cisco FirePower Management Centre (FMC)
Solution
I already have an Internal CA certificate created with OpenSSL. You only need two commands to create one for you.
#Generate private key
openssl genrsa -des3 -out internalCA.key 2048
#Generate root certificate.You need to create a passpharse for the certificaate and answer the questions.
openssl req -x509 -new -nodes -key internalCA.key -sha256 -days 365 -out internalCA.pem
#Now you should have two files called internalCA.key and internalCA.pem. We need both files to sign the HTTPS certificate.
Generate CSR from the FMC
Go to Settings > Configuration > HTTPS Certificate > Generate new CSR and fill up the information.
Copy the CSR and save it to a file fmc.csr
Now, go back to OpenSSL and sign the certificate with the Root CA we generated in the previous step.
You also need an OpenSSL config file which is needed to define the specific fields required by the FMC.
pi@raspberrypi:~/certs $ cat fmc-01.txt
[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
[req]
req_extensions = v3_req
[alt_names]
DNS.1 = fmc-01.packet.lan
When you import a server certificate to the FMC, the system rejects the certificate if it does not comply with version 3 (X.509 v3) of that standard.
You can find the FMC HTTPS certificate requirements here: Firepower Management Center Configuration Guide, Version 6.1 - System Configuration [Cisco Firepower Management Center] - Cisco
Let's generate the certificate and import it into FMC.
openssl x509 -req -in fmc-01.csr -CA internalCA.pem -CAkey internalCA.key -CAcreateserial -out fmc-01.crt -days 365 -sha256 -extfile fmc-01.txt -extensions v3_req
Copy the contents of fmc-01.crt
and paste it into FMC
Thanks for reading.
As always, your feedback and comments are more than welcome.