Troubleshoot Certificate Error "Identity certificate import required" on FMC

Available Languages

Download Options

  • PDF     (1.0 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.0 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.2 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 29, 2020
Document ID:215856

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot and fix the "Identity certificate import required" error on Firepower Threat Defense (FTD) devices managed by Firepower Management Center (FMC).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Public Key Infrastructure (PKI)
    • FMC
    • FTD
    • OpenSSL

    Components Used

    The information used in the document is based on these software versions:

    • MacOS x 10.14.6
    • FMC 6.4
    • OpenSSL

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

    Background information

    Note: On FTD devices, the Certificate Authority (CA) certificate is needed before the Certificate Signing Request (CSR) is generated.

    • If the CSR is generated in an external server (such as Windows Server or OpenSSL), the manual enrollment method is intended to fail, since FTD does not support manual key enrollment. A different method must be used such as PKCS12.

    Problem

    A certificate is imported in the FMC and an error is received which states that an identity certificate is required to proceed with the certificate enrollment.

    Scenario 1

    • Manual enrollment is selected
    • CSR is generated externally (Windows Server, OpenSSL, etc) and you don't have (or know) the private key information
    • A previous CA cert is used to fill the CA cert information, but it is unknown if this cert is responsible for the certificate sign

    Scenario 2

    • Manual enrollment is selected
    • CSR is generated externally (Windows Server, OpenSSL)
    • You have the certificate file from the CA that signs our CSR

    For both procedures, the certificate is uploaded and a progress indication is displayed as shown in the image.

    After a couple of seconds, the FMC still states that an ID cert is required:

    The previous error indicates that either the CA certificate does not match with the issuer information in the ID certificate or, the private key does not match with the one generated by default in the FTD.

    Solution

    In order to make this certificate enrollment to work, you must have the correspondent keys for the ID certificate. With the use of OpenSSL a PKCS12 file is generated.

    Step 1. Generate a CSR (Optional)

    You can get a CSR along with its private key with the use of a third-party tool called CSR generator (csrgenerator.com).

    Once the certificate information is filled accordingly, select the option to Generate CSR.

    This provides the CSR + Private key for us to send to a Certificate Authority:

    Step 2. Sign the CSR

    The CSR needs to be signed by a third-party CA (GoDaddy, DigiCert), once the CSR is signed, a zip file is provided, which contains among other things:

    • Identity Certificate
    • CA bundle (Intermediate certificate + root certificate)

    Step 3. Verify and Separate the Certificates

    Verify and separate the files with the use of a text editor (for example, notepad). Create the files with easily identifiable names for the private key (key.pem), identity certificate (ID.pem), CA certificate (CA.pem).

    For the case in which the CA bundle file has more than 2 certificates (1 root CA, 1 sub-CA), the root CA needs to be removed, the ID certificate issuer is the sub-CA, therefore, it is not relevant to have the root CA in this scenario.

    Content of the file named CA.pem:

    Content of the file named key.pem:

    Content of the file named ID.pem:

    Step 4. Merge the Certificates in a PKCS12

    Merge the CA certificate along with the ID Certificate and private key in a .pfx file. You must protect this file with a passphrase.

    openssl pkcs12 -export -in ID.pem -certfile ca.pem -inkey key.pem -out new-cert.pfx

    Step 5. Import the PKCS12 Certificate in the FMC

    In the FMC, navigate to Device > Certificates and import the certificate to the desired firewall:


    Verify

    In order to verify the certificate status along with the CA and ID information, you can select the icons and confirm that it was successfully imported:

    Select the ID icon:

    Revision History

    Revision Publish Date Comments
    1.0
    29-Jul-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Hugo Olguin
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products