In this article, we will take a look at how to generate a Certificate Signing Request (CSR) for your Firepower Management Centre (FMC) before taking a look at how we then complete the request and install the CA-signed certificate.
In order to complete the above, you will need access to the following:
FMC with Admin rights
CA Server with Admin rights
The following hardware and software are used for this demonstration:
FMCv version 6.5
Microsoft Server 2019
Generate the CSR on the FMC
1. Once logged into the FMC, navigate to System > Configuration > HTTPS Certificate
2. Click ‘Generate New CSR’
3. Enter the relevant details for your organization. The device name should already be pre-populated within the Common Name field. Once the fields are populated, click ‘Generate’.
4. When the box appears with the Base-64 Encoded CSR, copy the text into a notepad.
5. With access to your CA-Server, access the relevant location where certificates are generated. In this example, we are using Microsoft Windows Server 2019.
6. If using Microsoft Server, click ‘Request a certificate’ followed by ‘advanced certificate request’. You should now have the option to enter the copied text into the field. Paste in the copied text and click ‘Submit’. Depending on the version of the server and settings, your certificate may be downloaded automatically. If your certificate has been downloaded automatically, skip to number 11.
7. If your certificate wasn’t downloaded automatically then you may receive the following message. If you have received the following message, we now need to take some additional steps to retrieve the certificate. Following the next steps to retrieve the certificate.
8. Open the server manager and navigate to Tools > Certificate Authority and expand the certificate authority tree in the left-hand column. Click on ‘Pending Requests’ and you should see the certificate that you’ve just requested. Right-click on that certificate and select ‘Issue’.
9. The certificate should disappear from the ‘Pending Requests’ section and will now appear within the ‘Issued Certificates’ section. To download and install that certificate on the FMC, double-click on the certificate, click ‘Details’ and ‘Copy to File…’. A certificate wizard will open, click ‘Next’ where you will be taken to a screen asking which file format you want to use. Select ‘Base-64 Encoded X.509 (.CER)’ and click ‘Next’. Select a file name and location for your certificate, click ‘Next’ and click ‘Finish’.
10. Navigate to the location in which the certificate file was saved. Right-click on the certificate and open it with a notepad. You should now have the Base-64 text readily available for the next steps.
11. On the FMC, navigate to System > Configuration > HTTPS Certificate and click on ‘Import HTTPS Server Certificate’. When the pop-up screen appears, copy the certificate Base-64 text into the ‘Server Certificate’ section. Optionally you can also input the private key and certificate chain.
Note: If the certificate has been signed by a subordinate CA, you must also populate the ‘Certificate Chain’ field with the Sub CA certificate.
12. Once all fields have been populated, click ‘Save’ and the new certificate should now show. That’s it! Your FMC is now signed by the CA.