We are using Cisco FirePOWER services for quite some time and we are almost gurus. But one thing keeps annoying us every day: a certificate warning when we access web interface of our Defense Center (DC):
This happens because the DC uses self-signed certificate and our browsers do not trust these kind of certificates, as they should not. Fixing this not only stops annoying us, but also makes our environment more secure, because we should not use self-signed certificates when ever possible.
We have two options here. Buying a commercial certificate or installing a certificate we issued through our own PKI environment. Because no clients or partners will use the DC, we can go with our own certificate.
First we need to create a Certificate Signing Request, or CSR. System->Local->Configuration->HTTPS Certificate:
We can see that this certificate is indeed a self-signed. There are two buttons on the top right of this page: “Create New CSR” and “Import HTTPS Certificate“. We will first create a new CSR:
Then we fill appropriate fields in:
The only important thing here is the Common Name field. We can type here a short name, like in the example above, or use a FQDN, such as firesight.popravak.local. It does not really matter which one we will use, as long as we use that same name from our browser. Otherwise we will still get an error message.
When we click Generate, we will be presented with the CSR:
Before we click Close, we need to select and copy given text in text editor. Now we go to our PKI server that issues a certificates for our organization. More about issuing certificates can be found in this blog. We have to make sure that the certificate type is set to “Web Server“:
Once we receive issued certificate, we go back to the DC under System->Local->Configuration->HTTPS Certificate, but now we will click the other button – “Import HTTPS Certificate“:
Here we paste the issued certificate, which we previously opened in a text editor and copied to the clipboard:
We click Save. Now we can see that the self-signed certificate is replaced with our own:
When we now open web session to our DC, we don’t have a warning any more:
Of course, there is a catch: our clients have to trust the CA authority that issued this certificate. If we have Windows machines that are part of an Active Directory domain with the PKI infrastructure in place, this is already taken care of. In some other cases, we have to make sure that our PCs do trust this CA, otherwise the error message will still be popping up.
I’m not talking about cases where we use Firefox, for example, and choose to ignore certificate warnings. This is not how things should be done.
Thanks for reading!