Cisco FMC – installing certificate for pxGRID

Technology: Network Security
Area: Next Generation Firewalls
Vendor: Cisco
Software: FMC 5.X, 6.X
Platform: Firepower Management Center VM

Generating FMC Certificate for pxGrid services

1. Request

root@firepower:/Volume/home/admin# openssl req -new -key fmc.key -out fmc.csr

Enter pass phrase for fmc.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Code []:PL

State or Province Name []:

Locality Name []:

Organization Name []:Grandmetric

Organizational Unit Name []:

Common Name []:firepower

Email Address []:

root@firepower:/Volume/home/admin#

root@firepower:/Volume/home/admin#

root@firepower:/Volume/home/admin#

root@firepower:/Volume/home/admin# ls

fmc.csr  fmc.key

root@firepower:/Volume/home/admin#

2. You can display the key

root@firepower:/Volume/home/admin# more fmc.key

—–BEGIN RSA PRIVATE KEY—–

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,2D55612F1DD59A3F

Y3FpNJKTOf4gcHjICY6ln9fzn6WBUA0sUKt4hQv6h2mkrNVCbkGxRUqmm3pfSRKp

57/uC54mm3yqj/nS2hlm6nmrohpEKo2mqJgVDQq2NbSjYieIU0encUUCSEbdsNd2

lUvUlaa5INbyGxdJOS3MBkOZDkM0Vvnqf9pO81Dfavgnt8UbRRitfT+PJ5hsEwcs

JTP5L72kzJS8GY8VVyUFTQDx44GJ5A4cHFXWBKQldpeRsCZWSghVtM93dGTQNCcm

dV2sDu5wUVBmomvjEhkscxuRpZYkCMHaIcWPslI0LbS8LWd5JauET2c1dnZmcZJN

+lkYoDDL3Ylk49OR1EWTdhlche8kFJoQhJ25N8xwxKyHAdKAyHe5v/dSb/S4LN1H

Vblo9rjtQr/McYqh9peoD8pQuqqGLVvLPzci1FPn41ORSAbDt2dhXoIttnakQIcQ

Mmfoq9aE5zHFJtzYRGnl74YkH4xuCrwMKRuBgy2mAalrxtXFZ4xi4FmddD/MIgSY

L6BXeV0x7zYP9sJiy33ZhVDn4kQOU3jEILsj00b6g1uCdBRzuOixMElL0qNCrcVZ

rqWWahPxtmS5PL1YrcQ8qyBXp2z/lSNocY+zmCkSJtvPKGhKFNkCTMZfzxRf2Qa1

tkFKL1ry3qvBaPFg2bzqiAipZGChiHgw0ORhjA6FPYyUXX6mSJG5Ot3NX7xVOQhU

GwqHFGvMXX7AFTIqmtgD6yOetkb2JyhOaANtAkMHcfEaZKOTr0XX23BsYPgjQdb3

FGTQmlVHa1O9Wi8CjsiMozYFTLKjzKyDsuNkPhGEELnj+gwxKIugA72nIakD2sJt

RkCFDuEF8jxLNCKZi1jfcVn2nHlgJQb0Tpxpp7EjUHOluSBRbOK/ZhGQXynlmzka

Tw8uHQJD5CtnJ6y3ZglcYFYay87UUFtHZNvt2sBW53xj6UQwjMbKAXpJuWTI+GbB

m/hGLmwdoOM8paOgTworsEdhcwbYPuBBy1zZtqCB2F9N0QbsRNYaRIV0j2o09Rnj

8oKFXYVS1/YXXs0WEy13p8fxziNj1ziW9OQ+aAFLd5hhrctjz5af7rc5F6PEB8G9

Cr79ZyrQcY2OKWbAyLmO2RRomSjjW7xrbL1EWJA6LTC7SXo3xHnT0IJ9gCTYSn80

lMMqCRBuDtrdQ5HEz0aESuSUhQ7Boa5oPlQfrwJn7rnn4GR9LgVlRg7P5+OLeEqN

jjO9AlyWAFCaFhfh17YogunUa2/VLSRaICdLXakYY6/GUoMfuG2bn95LVf+uVCFO

4MAacQzHNP3jWR7hlRb4DJ2UKqjvfh490T3BhedGI07HIXdBGCz88zsW0ZPHUHhj

O9PqB+o6OTAj4zWMYwR6GPnHL/7HoBd6drjAR0D7hc4mxGbjnRSYxRIOZV3Pq9Ci

b6c+Vll62+ms2dYbOepi5Gdz5SHRVhWPbfKHl5HBV0VMfT0sjyyqPy21Uw3mt4Ye

Ykj+TzEiEbohmysQ8wmG6cFa2pC0SURSFyULaMQ7Rtu6TWjfdm0AkqnP/NmgNoUX

EneBzEvcZtFK1+jc9maOm+FvmUAstsQB1VRfJrDgBQVRhRI3N2zXPaZbF8GIXXFe

LWAZmNOrRjcywDuUkTOfmCBokHK7CVUnDCrgn7Tuteoa+ROfglCCovwwP8fhLDOI

XMXKA7V/+Et5+8G7P34m4yGPVDACLpUbgGoAHFbx/JeQ9Fcp8sQL1eg3gZPw+GLU

fhM8P8lOz2nEEV3oVq6C2u7+V/J1nsKqKe6DSSyUpvR01fD+6b+kEQ1lCrJL0wTp

kCQtAZbTS57rdIVoNCOoP0W29sReskcv4wW2qm0jYDLXma2h3O5fEmRO5ruWswZJ

DWARdj0PQj7T1YN9jrrUc3ewXdZzPGQPLZUxCopK2/lXqDhGRvJMUikKHzA+85Ct

M/fqNWBhqmqNEvRjYqfJP5WOm1hhzv1h+SFHXxshS9AeCbHfhJZ9r3S8/S5637HN

dmm/7N8NgO/X6TmMT+ORsqJipraEXseL6pjezDH8b1G8a+I2zejCJ/nIVoBta4Uj

tr+7BhM5ZJcsSB/vRjgoTruztN8MsvtXqy6/Ux+xgRFP2DqFMBBvB5mSY/nQMn/3

ggDHDSuvR359NISUiOzHeiRG+H5x+ikycZH5F0ANehndFrqmpcbd+aa0iRdyQnL6

+hpcoDl+3j97uwP6sN/N077lSzNfFalCoiyXgUptJmDEl1eimWDskiVPr+ezJHC7

/CEZJbdIjSWuruefm6/RlEc/t+sVm1awP9bsNDUsRfkgCycLynSRzkIYWFX9jhdQ

7ic+kVzD3P9/hoiVCCfOqVGL52OuEZh35UM01FXR5zS1JEuPRHSXDnrNJGvq0W0f

eK7y2YNtmM/vi3bTg4sP8OXZU4aUZNQk+lpUP2qkMwA0L1SlK6wc1eTLwJXuGxml

/FkWGfEpzS6Z6O5nwn6bWF/T9HCAvO++LSo/dmx4Jliveft19fFbKsbFElWmJVhp

yY9Nf6GLkH2OxQ7CkBw0qITXbW9nwcRCLbYw0RY67phdjwMjJZn+CYvOfzvKGLVs

—–END RSA PRIVATE KEY—–

3. And the request (CSR) and send for signing

—–BEGIN CERTIFICATE REQUEST—–

MIIEfDCCAmQCAQAwNzELMAkGA1UEBhMCUEwxFDASBgNVBAoTC0dyYW5kbWV0cmlj

MRIwEAYDVQQDEwlmaXJlcG93ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK

AoICAQCZy3rNUgtXI+dgu7lFKUco9yyr8zCI4W76plMrjdNDeBSS8yjYoK9kE7It

d3QiLScP2APkZo6dqT7Le1o+bnsOhX85HxvjvobNVv29RuUCHJw7WRAdL2NHEXFC

0QFQo7ASlv5rxeDckzXbJSehHzRjb/22INr6kpKzqwAdWbL8rmDP14hEyqvCGtvS

7kQ11i+I6M+8QRprLvmZEqjO3CkysVC6XXrJIslFpfYLGiHg0ZBa3A+GTW/ugcat

7eiVBun/XAKJCSUpvLraz4iv18DfudILbRt84JvhSmEuQxN/9nigmo0qqgikQcp3

VbrDsJOAHb/k2g2Zmcz7T/tlKWBi0RhQ6gpR73Yd1v0PxrMKoebZjz+JnqehKTzw

UAOHx7Za6ETFouNHYGEP0xCckaDkqbu095paqmolgnSvtG1PTn86D/uu9BpMoT+y

0/7TO2/zbYCmCVoCckIXW3JH3dYyl5/3rCGWD8UsGZmTzf3UCOQouwoXt9cZJfIr

xfvA/8uT7lWLa6MUPpznWlTmN5AaNDA688oMM5anSzXGWsm/YxaSPwRLwdG9haw+

C0Mv3l0JjsPuK0ZopAjfBe04/UL0wKhAJ9dbOhZWxc94vYXH9T1BXWGcqV1NfWDw

Ya6GAn4Dk+mmngjPrkw4PdANOpXaBC5+8hb5D+fCdoli1Fw//QIDAQABoAAwDQYJ

KoZIhvcNAQELBQADggIBACfNjn1Nce6wRueScf68ufGOxb7qIPTHfi0P9/e7xl3D

9fr4KKZQpipUQx6013pqcyhQ2LFc/DBUnqUQ2ZXNpHTE2BD4l3ytlDxZVLpFgFGj

mrIlYNqeoHxFjNzPbbhvw20Ono2Xis7OISSwC6NI4eTGVTKk/mr7FZUTD7M/qxfi

/348T0+i+aSHqa5mzzM8k3HJuy73TD4TG9Jip+NFDVl2vIoq1mBbwOiCCyB2PWDm

Bi+iv1XS8Mecp9N1gqpIH7JBUKRdBqZOKz3mdHbJYtJpPIrStz0PlQNG7jLLlyik

f+Q2YB0THzKTg/RRzLAXPnTpCpdDdeGzVUatqEvaQ0w9ygtnLDbsgJaQW/WHXEMU

1BfRhf18CDtLTX0pRr6bfKvg0gqqQBrzt0jH70nveUerM1cS/3dgmTmtgXJe69Fs

—–END CERTIFICATE REQUEST—–

4. The final part is  importing the signed certificate. Now from FMC GUI (objects -> PKI)