Installing Custom Certificate on FireSight Defense Center

We are using Cisco FirePOWER services for quite some time and we are almost gurus. But one thing keeps annoying us every day: a certificate warning when we access web interface of our Defense Center (DC):

11-11-2015 1-08-43 PM

This happens because the DC uses self-signed certificate and our browsers do not trust these kind of certificates, as they should not. Fixing this not only stops annoying us, but also makes our environment more secure, because we should not use self-signed certificates when ever possible.

We have two options here. Buying a commercial certificate or installing a certificate we issued through our own PKI environment. Because no clients or partners will use the DC, we can go with our own certificate.

First we need to create a Certificate Signing Request, or CSR. System->Local->Configuration->HTTPS Certificate:

11-11-2015 1-11-23 PM

We can see that this certificate is indeed a self-signed. There are two buttons on the top right of this page: “Create New CSR” and “Import HTTPS Certificate“. We will first create a new CSR:

11-11-2015 1-12-13 PM

Then we fill appropriate fields in:

11-11-2015 1-13-38 PM

The only important thing here is the Common Name field. We can type here a short name, like in the example above, or use a FQDN, such as firesight.popravak.local. It does not really matter which one we will use, as long as we use that same name from our browser. Otherwise we will still get an error message.

When we click Generate, we will be presented with the CSR:

11-11-2015 1-14-55 PM

Before we click Close, we need to select and copy given text in text editor. Now we go to our PKI server that issues a certificates for our organization. More about issuing certificates can be found in this blog. We have to make sure that the certificate type is set to “Web Server“:

11-11-2015 1-17-18 PM

Once we receive issued certificate, we go back to the DC under System->Local->Configuration->HTTPS Certificate, but now we will click the other button – “Import HTTPS Certificate“:

11-11-2015 1-18-28 PM

Here we paste the issued certificate, which we previously opened in a text editor and copied to the clipboard:

11-11-2015 1-19-41 PM

We click Save. Now we can see that the self-signed certificate is replaced with our own:

11-11-2015 1-20-13 PM

When we now open web session to our DC, we don’t have a warning any more:

11-11-2015 1-22-50 PM

Of course, there is a catch: our clients have to trust the CA authority that issued this certificate. If we have Windows machines that are part of an Active Directory domain with the PKI infrastructure in place, this is already taken care of. In some other cases, we have to make sure that our PCs do trust this CA, otherwise the error message will still be popping up.

I’m not talking about cases where we use Firefox, for example, and choose to ignore certificate warnings. This is not how things should be done.


Thanks for reading!


This entry was posted in Cisco, FirePOWER, FireSight, IPS, Security, Sourcefire and tagged , , , . Bookmark the permalink.

One Response to Installing Custom Certificate on FireSight Defense Center

  1. Igor says:

    please keep in mind that with recent versions of Google Chrome browser, you will still receive warning, since SSL certificate does not include SAN (Subject Alternative Name).
    Additional problem is that CSR form of Firepower management GUI does not include field to specify SAN in CSR.

    More info could be found here:
    But, also keep in mind that proposed solution from Cisco is not completely correct! 🙂
    If you follow their guidelines then you will face with SSL import problem:

    So, the one of the solutions is:
    – to use existing server private key (/etc/ssl/server.key)
    – generate CSR (with existing server private key /etc/ssl/server.key) with openssl command: openssl req -out cfmc.csr -key server.key -config san.cnf -new
    where san.cnf is something like following:

    [ req ]
    default_bits = 2048
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    [ req_distinguished_name ]
    countryName = YOUR_COUNTRY_CODE_HERE
    stateOrProvinceName = YOUR_STATE_HERE
    localityName = YOUR_LOCALITY_HERE
    organizationName = YOUR_ORGANISATION_HERE
    commonName = YOUR_FQDN_HERE
    [ req_ext ]
    subjectAltName = @alt_names

    NOTE: you will need to login as root in order to perform the above:
    login as: admin
    sudo su –

    – Based on the generated cfmc.csr, obtain certificate from your CA and save it as server.crt
    – Replace existing server certificate (/etc/ssl/server.crt ) with the new one
    – Reboot the server


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s