You are currently viewing Add Firepower Management Center Certificate using CLI

Add Firepower Management Center Certificate using CLI

In this article, I want to demonstrate how to add signed certificates to the Firepower Management Center (FMC) using the CLI.

 

If you’ve worked with the FMC for some time, you’ll know that the GUI can be quite limited when it comes to the sort of information you enter before generating a CertificateCSR.
 
In fact, a particular use case for wanting to use the CLI to generate CSRs for the FMC is when you want to issue the same certificate to more than one FMC. As it stands today there isn’t a way to accommodate this use case via the GUI and although possible, this request can only be fulfilled by using the CLI.
 
With that, in this article, we will focus on how we can fulfil the mentioned requirement and have one certificate issued for more than one FMC.
 
We will have our internal CA (Microsoft Server) issue an internally signed certificate that will be imported to both FMCs.
 
Demonstration Hardware & Versions
 
  • Microsoft Server 2019 (CA Server)
  • Firepower Management Center version 6.5
Note: You will require CLI root access to the FMC and admin access to the CA
 
Populate Certificate Fields
 
The important part of the configuration below is to populate the common name with a generic name and use the Subject Alternative Name (SAN) field to populate the FDQN names of the FMCs.
 
Access the CLI of each FMC and enter the following commands in order to populate the certificate fields before generating a CSR. You will need to carry out the following tasks on both FMCs.
 
Note: This article assumes the reader has knowledge of Linux
expert
sudo su #enter admin password#
cd /etc/ssl
vim fmccert.cnf

 

#Enter the below configuration and populate where necessary#

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = #ENTER INFORMATION#
stateOrProvinceName = #ENTER INFORMATION#
localityName = #ENTER INFORMATION#
organizationName = #ENTER INFORMATION#
commonName = #ENTER INFORMATION#
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = fmc1.cciesecuritylab.co.uk
DNS.2 = fmc2.cciesecuritylab.co.uk

 
Save the file once completed and check that the file has been created successfully by entering the following commands.
cat fmccert.cnf
 
Generate CSR’s
 
Once the certificate fields have been populated, generate the CSR from each FMC by entering the following configurations.
openssl req -out fmc.csr -key server.key -config fmccert.cnf -new
 
Copy CSR
 
Copy the contents of the CSR to a notepad. The contents of the certificate request will be required to sign the FMCs.
cat fmc.csr
 
Sign the FMCs using via the CA
In this demonstration, we use Microsoft Server 2019 as a CA. A demonstration of these steps will be covered in the video demonstration at the bottom of the screen.
 
Once signed, export the BASE 64 certificate contents ready to paste onto the CLI of the FMC’s.
 
Copy Signed Certificates to FMC’s
 
On the FMC’s we will now replace /etc/ssl/server.cert with the contents of our new signed certificate. Use the following command to replace the contents of the file with the newly signed certificate.
vim server.crt
 
Warning: Be careful not to modify ‘server.key’ otherwise you may need to regenerate a new RSA public/private key pair.
 
Restart & Test HTTPS service
 
Once the content of the above file has been changed, the https service needs to be restarted. Enter the following configuration in order to restart and verify the httpd service.
pmtool restartbyid httpsd

pmtool status | grep https

 

#The following is an example of what you should see#
httpsd (system,gui) – Running 31632
Command: /usr/bin/httpsd -D FOREGROUND
PID File: /var/run/httpsd.pid

 
Once the service has been verified as running, test GUI access and verify that the certificate presented is correct.
 
In the following screenshot you can see that the FMC used for this demonstration now has the SAN field populated.
 
 
You can also view the issued certificate by logging into the FMC GUI and navigating to System > Configuration > HTTPS Certificate as shown in the screenshot below.
 
 
Other observations
 
I’ve noticed that GUI access is stuck when powering off the FMC without gracefully shutting it down. The message presented when attempting to access the GUI is: ‘System processes are starting, please wait.’ To fix this, you may need to restart those processes too using the following commands:
 
View the status of the GUI processes:
pmtool status | grep -i gui
 
Restart the GUI processes:
/etc/rc.d/init.d/console restart
 
 
For a video demonstration, please see the video below.
 
 
Tags: , , , , , , ,

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he had achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

This Post Has One Comment

Leave a Reply