Cisco FMC: Update HTTPs Server certificate

I was trying to update HTTPs certificate on FirePOWER Management Center (FMC) and ran into issues doing it on GUI and CLI.

Before making any changes backup default certificate and key from /etc/ssl location

The error I got was

Error – Basic constraints are not critical or not defined.

There was no error indications in /var/log/messages or /var/log/httpd.

Restarted console after hours – /etc/rc.d/init.d/console restart – no go.

After resart tailed ALL logs

cd /var/log
pigtail all

The following clue appeared

SOUT: 07-15 23:24:24 httpsd[19997]: Some of your private key files are encrypted for security reasons.
SOUT: 07-15 23:24:24 httpsd[19997]: In order to read them you have to provide the passphrases.
SOUT: 07-15 23:24:24 httpsd[19997]:
SOUT: 07-15 23:24:24 httpsd[19997]: Private key 127.0.0.1:443:0 (/etc/ssl/server.key)
SOUT: 07-15 23:24:24 httpsd[19997]: Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
SOUT: 07-15 23:24:24 httpsd[19997]: **Stopped

This indicates there is an issue with private key. Checked key for validity under ssl folder.

root@fmc01:/etc/ssl# openssl rsa -check -noout -in server.key
Enter pass phrase for server.key:
RSA key ok

Key is valid but requires a pass phrase. FMC does nor support pass phrases so you need to export key without passphrase.

root@fmc01:/etc/ssl# openssl rsa -in server.key -out server1.key
Enter pass phrase for server.key:
writing RSA key

Verify new key.

root@fmc01:/etc/ssl# openssl rsa -check -noout -in server1.key
RSA key ok

Update new key and cert under ssl folder and restart httpsd process.

pmtool restartbyid httpsd

Check to make sure process is running.

fmc01:/etc/ssl# pmtool status | grep -i httpsd
httpsd (system,gui) – Running 2338
Command: /usr/bin/httpsd -D FOREGROUND
PID File: /var/run/httpsd.pid

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar