In this article, I want to demonstrate how to add signed certificates to the Firepower Management Center (FMC) using the CLI.
If you’ve worked with the FMC for some time, you’ll know that the GUI can be quite limited when it comes to the sort of information you enter before generating a CertificateCSR.
In fact, a particular use case for wanting to use the CLI to generate CSRs for the FMC is when you want to issue the same certificate to more than one FMC. As it stands today there isn’t a way to accommodate this use case via the GUI and although possible, this request can only be fulfilled by using the CLI.
With that, in this article, we will focus on how we can fulfil the mentioned requirement and have one certificate issued for more than one FMC.
We will have our internal CA (Microsoft Server) issue an internally signed certificate that will be imported to both FMCs.
Demonstration Hardware & Versions
Microsoft Server 2019 (CA Server)
Firepower Management Center version 6.5
Note: You will require CLI root access to the FMC and admin access to the CA
Populate Certificate Fields
The important part of the configuration below is to populate the common name with a generic name and use the Subject Alternative Name (SAN) field to populate the FDQN names of the FMCs.
Access the CLI of each FMC and enter the following commands in order to populate the certificate fields before generating a CSR. You will need to carry out the following tasks on both FMCs.
Note: This article assumes the reader has knowledge of Linux
expert sudo su #enter admin password# cd /etc/ssl vim fmccert.cnf
#Enter the below configuration and populate where necessary#
Copy the contents of the CSR to a notepad. The contents of the certificate request will be required to sign the FMCs.
Sign the FMCs using via the CA
In this demonstration, we use Microsoft Server 2019 as a CA. A demonstration of these steps will be covered in the video demonstration at the bottom of the screen.
Once signed, export the BASE 64 certificate contents ready to paste onto the CLI of the FMC’s.
Copy Signed Certificates to FMC’s
On the FMC’s we will now replace /etc/ssl/server.cert with the contents of our new signed certificate. Use the following command to replace the contents of the file with the newly signed certificate.
Warning: Be careful not to modify ‘server.key’ otherwise you may need to regenerate a new RSA public/private key pair.
Restart & Test HTTPS service
Once the content of the above file has been changed, the https service needs to be restarted. Enter the following configuration in order to restart and verify the httpd service.
pmtool restartbyid httpsd pmtool status | grep https
#The following is an example of what you should see# httpsd (system,gui) – Running 31632 Command: /usr/bin/httpsd -D FOREGROUND PID File: /var/run/httpsd.pid
Once the service has been verified as running, test GUI access and verify that the certificate presented is correct.
In the following screenshot you can see that the FMC used for this demonstration now has the SAN field populated.
You can also view the issued certificate by logging into the FMC GUI and navigating to System > Configuration > HTTPS Certificate as shown in the screenshot below.
I’ve noticed that GUI access is stuck when powering off the FMC without gracefully shutting it down. The message presented when attempting to access the GUI is: ‘System processes are starting, please wait.’ To fix this, you may need to restart those processes too using the following commands:
View the status of the GUI processes:
pmtool status | grep -i gui
Restart the GUI processes:
For a video demonstration, please see the video below.
Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.