16.12.2020

Generate Ca Certificate And Key For Firepower

74
For
  1. Generate Ca Certificate And Key For Firepower Free
  2. Generate Ca Certificate And Key For Firepower Free
  3. Generate Ca Certificate And Key For Firepower Services

Introduction

This document describes how to generate a Certificate Signing Request (CSR) and install the identity certificate that is the result for use with the Chassis Manager for Firepower eXtensible Operating System (FXOS) on the Firepower 4100 and 9300 series devices.

Prerequisites

Requirements

Generate the CSR, Sign it with the CA. Go back to Firepower and click the pencil on the cert you just create. Then bottom left click install certificate and upload the signed you downloaded from the CA. May 07, 2019  This is necessary when you need to generate a self-signed certificate for local/development machines that are not usually accessible from the Internet. Category Howto & Style. Dec 02, 2016 Cisco NGFW SSL Policy - end to end configuration to decrypt facebook only. Using a standard build of Windows 2008 R2 as a CA. Add Root CA to FMC and create a CSR and sign with Win2008 CA. Generate the CSR, Sign it with the CA. Go back to Firepower and click the pencil on the cert you just create. Then bottom left click install certificate and upload the signed you downloaded from the CA.

Cisco recommends that you have knowledge of these topics:

  • Configure FXOS from the Command Line
  • Use CSR
  • Private Key Infrastructure (PKI) Concepts

Components Used

Jan 14, 2020 Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3. Generate a key. A trusted Certificate Authority (CA. Nov 21, 2019  How to Generate a SSL/TLS Certificate Signing Request (CSR) on Debian 10. For any live website, SSL Certificates have become a key requirement. A Certificate Authority (CA) verifies and issue SSL certificates. There are two categories of these certificates. The certificate signing request (CSR) that is needed by the certificate authority (CA) is created by default. You can generate an RSA key or ECDSA key. If you generate an RSA key, you must define the key length and the hash algorithm of the generated RSA keys.

The information in this document is based on these software and hardware versions:

  • Firepower 4100 and 9300 Series Hardware
  • FXOS Versions 1.1 and 2.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

After initial configuration, a self-signed SSL certificate is generated for use with the Chassis Manager web application. Since that certificate is self-signed, it will not be automatically trusted by client browsers. The first time that a new client browser accesses the Chassis Manager web interface for the first time, the browser throws an SSL warning similar to your connection, it is not private and requires the user to accept the certificate before you access the Chassis Manager. This process allows a certificate signed by a trusted certificate authority to be installed which can allow a client browser to trust the connection, and bring up the web interface with no warnings.

Configure

Note: There is currently no way to generate a CSR in the Chassis Manager GUI. It must be done via command line.

Generate a CSR

Perform these steps in order to obtain a certificate that contains the IP address or Fully Qualified Domain Name (FQDN) of the device (which allows a client browser to identify the server properly):

  • Create a keyring and select the modulus size of private key.

Note: The keyring name can be any input. In these examples, firepower_cert is used.

  • Configure the CSR fields. The CSR can be generated with just basic options like a subject-name. This prompts for a certificate request password as well.
  • The CSR can also be generated with more advanced options that allow information like locale and organization to be embedded in the certificate.
  • Export the CSR to provide to your certificate authority. Copy the output that starts with (and includes) -----BEGIN CERTIFICATE REQUEST----- ends with (and includes) -----END CERTIFICATE REQUEST-----.

Import the Certificate Authority Certificate Chain

Note: All certificates must be in Base64 format to be imported into FXOS. If the certificate or chain received from the Certificate Authority is in a different format, you must first convert it with an SSL tool such as OpenSSL.

  • Create a new trustpoint to hold the certificate chain.

Note: The trustpoint name name can be any input. In the examples firepower_chain is used.

Note: For a Certificate Authority that uses intermediate certificates, the root and intermediate certificates must be combined. In the text file, paste the root certificate at the top, followed by each intermediate certificate in the chain (that includes all BEGIN CERTIFICATE and END CERTIFICATE flags). Then paste that entire file before the ENDOFBUF delineation.

Import the Signed Identity Certificate for the Server

  • Associate the trustpoint created in the previous step with the keyring that was created for the CSR.
  • Paste the contents of the identity certificate provided by the Certificate Authority.

Configure Chassis Manager to Use the New Certificate


The certificate has now been installed, but the web service is not yet configured to use it.

Verify

Use this section in order to confirm that your configuration works properly.

  • show https - Output displays the keyring associated with the HTTPS server. It should reflect the name created in the steps mentioned before. It if still shows default then it has not been updated to use the new certificate.
  • show keyring <keyring_name> detail - Output displays the contents of the certificate that is imported and show if it is valid or not.
  • Enter https://<FQDN_or_IP>/ in the address bar of a web browser and browse to the Firepower Chassis Manager and verify that the new trusted certificate is presented.

Warning: Browsers also verify the subject-name of a certificate against the input in the address bar, so if the certificate is issued to the fully qualified domain name, it must be accessed that way in the browser. If it is accessed via IP address, a different SSL error is thrown (Common Name Invalid) even if the trusted certificate is used.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

CSR Creation for Cisco Adaptive Security Appliance 5500

If you already have your SSL Certificate and just need to install it, see
SSL Certificate Installation for Cisco ASA 5500 VPN.

How to generate a CSR in Cisco ASA 5500 SSL VPN/Firewall

  1. From the Cisco Adaptive Security Device Manager (ASDM), select 'Configuration' and then 'Device Management.'

  2. Expand 'Certificate Management,' then select 'Identity Certificates,' and then 'Add.'

  3. Select the button to 'Add a new identity certificate' and click the 'New...' link for the Key Pair.

  4. Select the option to 'Enter new key pair name' and enter a name (any name) for the key pair. Next, click the 'Generate Now' button to create your key pair.

    Change the key size to 2048 and leave Usage on General purpose.

  5. Next you will define the 'Certificate Subject DN' by clicking the Select button to the right of that field. In the Certificate Subject DN window, configure the following values by selecting each from the 'Attribute' drop-down list, entering the appropriate value, and clicking 'Add.'

    CN - The name through which the firewall will be accessed (usually the fully-qualified domain name, e.g., vpn.domain.com).

    OU - The name of your department within the organization (frequently this entry will be listed as 'IT,' 'Web Security,' or is simply left blank).

    O - The legally registered name of your organization/company.

    C - If you do not know your country's two digit code, find it on our list.

    ST - The state in which your organization is located.

    L - The city in which your organization is located.

    Please note: None of the above fields should exceed a 64 character limit. Exceeding that limit could cause problems later on while trying to install your certificate.

  6. Next, click 'Advanced' in the 'Add Identity Certificate' window.

  7. In the FQDN field, type in the fully-qualified domain name through which the device will be accessed externally, e.g., vpn.domain.com (or the same name as was entered in the CN value in step 5).

  8. Click 'OK' and then 'Add Certificate.' You will then be prompted to save your newly created CSR information as a text file (.txt extension).

    Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.

  9. After you receive your SSL Certificate from DigiCert, you can install it.

    See SSL Certificate Installation for Cisco ASA 5500 VPN.

Generate Ca Certificate And Key For Firepower Free

Key

Cisco SSL Certificates, Guides, & Tutorials

Buy NowLearn More

Generate Ca Certificate And Key For Firepower Free

Generating a CSR for Issuance of an SSL Certificate on a Cisco ASA 5500 VPN/Firewall

Generate Ca Certificate And Key For Firepower Services

How to generate an SSL Certificate Signing Request for your ASA 5500 SSL VPN