Introduction
This document describes how to troubleshoot and fix the "Identity certificate import required" error on Firepower Threat Defense (FTD) devices managed by Firepower Management Center (FMC).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Public Key Infrastructure (PKI)
- FMC
- FTD
- OpenSSL
Components Used
The information used in the document is based on these software versions:
- MacOS x 10.14.6
- FMC 6.4
- OpenSSL
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background information
Note: On FTD devices, the Certificate Authority (CA) certificate is needed before the Certificate Signing Request (CSR) is generated.
- If the CSR is generated in an external server (such as Windows Server or OpenSSL), the manual enrollment method is intended to fail, since FTD does not support manual key enrollment. A different method must be used such as PKCS12.
Problem
A certificate is imported in the FMC and an error is received which states that an identity certificate is required to proceed with the certificate enrollment.
Scenario 1
- Manual enrollment is selected
- CSR is generated externally (Windows Server, OpenSSL, etc) and you don't have (or know) the private key information
- A previous CA cert is used to fill the CA cert information, but it is unknown if this cert is responsible for the certificate sign
Scenario 2
- Manual enrollment is selected
- CSR is generated externally (Windows Server, OpenSSL)
- You have the certificate file from the CA that signs our CSR
For both procedures, the certificate is uploaded and a progress indication is displayed as shown in the image.
After a couple of seconds, the FMC still states that an ID cert is required:
The previous error indicates that either the CA certificate does not match with the issuer information in the ID certificate or, the private key does not match with the one generated by default in the FTD.
Solution
In order to make this certificate enrollment to work, you must have the correspondent keys for the ID certificate. With the use of OpenSSL a PKCS12 file is generated.
Step 1. Generate a CSR (Optional)
You can get a CSR along with its private key with the use of a third-party tool called CSR generator (csrgenerator.com).
Once the certificate information is filled accordingly, select the option to Generate CSR.
This provides the CSR + Private key for us to send to a Certificate Authority:
Step 2. Sign the CSR
The CSR needs to be signed by a third-party CA (GoDaddy, DigiCert), once the CSR is signed, a zip file is provided, which contains among other things:
- Identity Certificate
- CA bundle (Intermediate certificate + root certificate)
Step 3. Verify and Separate the Certificates
Verify and separate the files with the use of a text editor (for example, notepad). Create the files with easily identifiable names for the private key (key.pem), identity certificate (ID.pem), CA certificate (CA.pem).
For the case in which the CA bundle file has more than 2 certificates (1 root CA, 1 sub-CA), the root CA needs to be removed, the ID certificate issuer is the sub-CA, therefore, it is not relevant to have the root CA in this scenario.
Content of the file named CA.pem:
Content of the file named key.pem:
Content of the file named ID.pem:
Step 4. Merge the Certificates in a PKCS12
Merge the CA certificate along with the ID Certificate and private key in a .pfx file. You must protect this file with a passphrase.
openssl pkcs12 -export -in ID.pem -certfile ca.pem -inkey key.pem -out new-cert.pfx
Step 5. Import the PKCS12 Certificate in the FMC
In the FMC, navigate to Device > Certificates and import the certificate to the desired firewall:
Verify
In order to verify the certificate status along with the CA and ID information, you can select the icons and confirm that it was successfully imported:
Select the ID icon: