In this article I want to demonstrate how too add signed certificates to the Firepower Management Center (FMC) using the CLI.
If you've worked with the FMC for some time, you'll know that the GUI can be quite limited when it comes to the sort of information you enter before generating a CertificateCSR.
In fact a particular use case for wanting to use the CLI to generate CSR's for the FMC is when you want to issue the same certificate to more than one FMC. As it stands today there isn't a way to accommodate this use case via the GUI an although possible, this request can only be fulfilled by using the CLI.
With that, in this article we will focus on how we can fulfill the mentioned requirement and have one certificate issued for more than one FMC.
We will have our internal CA (Microsoft Server) issue an internal signed certificate that will be imported to both FMC's.
Demonstration Hardware & Versions
Microsoft Server 2019 (CA Server)
Firepower Management Center version 6.5
Note: You will require CLI root access to the FMC and admin access to the CA
Populate Certificate Fields
The important part of the configuration below is to populate the common name with a generic name and use the Subject Alternative Name (SAN) field to populate the FDQN names of the FMC's.
Access the CLI of each FMC and enter the following commands in order to populate the certificate fields before generating a CSR. You will need to carry out the following tasks on both FMC's.
Note: This article assumes the reader has knowledge of Linux
expert sudo su #enter admin password# cd /etc/ssl vim fmccert.cnf #Enter the below configuration and populate where necessary# [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = #ENTER INFORMATION# stateOrProvinceName = #ENTER INFORMATION# localityName = #ENTER INFORMATION# organizationName = #ENTER INFORMATION# commonName = #ENTER INFORMATION# [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = fmc1.cciesecuritylab.co.uk DNS.2 = fmc2.cciesecuritylab.co.uk
Save the file once completed and check that the file has been created successfully by entering the following commands.
Once the certificate fields have been populated, generate the CSR from each FMC by entering the following configurations.
openssl req -out fmc.csr -key server.key -config fmccert.cnf -new
Copy the contents of the CSR to a notepad. The contents of the certificate request will be required to sign the FMC's.
Sign the FMC's using via the CA
In this demonstration we use Microsoft Server 2019 as a CA. A demonstration of these steps will be covered in the video demonstration at the bottom of the screen.
Once signed, export the BASE 64 certificate contents ready to paste onto the CLI of the FMC's.
Copy Signed Certificates to FMC's
On the FMC's we will now replace /etc/ssl/server.cert with the contents of our new signed certificate. Use the following command to replace the contents of the file with the newly signed certificate.
Warning: Be careful not to modify 'server.key' otherwise you may need to regenerate a new RSA public/private key pair.
Restart & Test HTTPS service
Once the content of the above file has been changed, the https service needs to be restarted. Enter the following configuration in order to restart and verify the httpd service.
pmtool restartbyid httpsd pmtool status | grep https #The following is an example of what you should see# httpsd (system,gui) - Running 31632 Command: /usr/bin/httpsd -D FOREGROUND PID File: /var/run/httpsd.pid
Once the service has been verified as running, test GUI access and verify that the certificate presented is correct.
In the following screenshot you can see that the FMC used for this demonstration now has the SAN field populated.
You can also view the issued certificate by logging into the FMC GUI and navigating to System > Configuration > HTTPS Certificate as shown in the screenshot below.
I've noticed that GUI access is stuck when powering off the FMC without gracefully shutting it down. The message presented when attempting to access the GUI is: 'System processes are starting, please wait.' To fix this, you may need to restart those processes too using the following commands:
View the status of the GUI processes:
pmtool status | grep -i gui
Restart the GUI processes:
For a video demonstration, please see the video below.