Field Notice: FN - 70364 - Firepower Software - Firepower Management Center Unable To Install Certificates On Security Appliances - Software Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	12-Feb-19	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Firepower Management Center Software	6.1	6.1.0.5, 6.1.0.6, 6.1.0.7
NON-IOS	Firepower Management Center Software	6.2	6.2.2.2, 6.2.2.3, 6.2.2.4, 6.2.2.5, 6.2.3, 6.2.3.1, 6.2.3.2, 6.2.3.3

Defect Information

Defect ID	Headline
CSCvg28901	Unable to install certificate message when importing certificate to the Firepower Management Center

Problem Description

The Firepower Management Center (FMC) might be unable to install certificates on the Firepower security appliances.

Background

The FMC can be used to deploy certificates in order to establish trustpoints for Firepower security appliances. If the certificate does not have the "critical" extension enabled in the "Basic Constraints" settings, the certificate might fail to install on the Firepower security appliance.

Problem Symptom

This error message will output on the FMC if a certificate fails to install on the Firepower security appliance.

Unable to install certificate

In addition, these errors are recorded in the log file /var/log/httpd/httpsd_error_log:

[Tue Oct 10 08:49:37.500627 2017] [cgi:error] [pid 31306] [client 10.xxx.xx.xxx:50398] AH01215: Unable to verify certificates at /usr/local/sf/lib/perl/5.10.1/SF/X509Certificates.pm line 143.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.xxx.xxx.xxx/admin/https_cert.cgi
[Tue Oct 10 08:49:37.500695 2017] [cgi:error] [pid 31306] [client 10.xxx.xx.xxx:50398] AH01215: No such file or directory:/etc/sf/crl.conf at /usr/local/sf/lib/perl/5.10.1/SF/X509Certificates.pm line 907.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.xxx.xxx.xxx/admin/https_cert.cgi
[Tue Oct 10 08:49:37.500738 2017] [cgi:error] [pid 31306] [client 10.xxx.xx.xxx:50398] AH01215: (Unable to install certificate.) in /usr/local/sf/htdocs/admin/https_cert.cgi:168 at /usr/local/sf/lib/perl/5.10.1/SF.pm line 120.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.xxx.xxx.xxx/admin/https_cert.cgi
[Tue Oct 10 08:49:39.271384 2017] [cgi:error] [pid 31306] [client 10.xxx.xx.xxx:50398] AH01215: SFDB -- SF::UI::Platinum::SidemenuAdapter::drawMenu at /usr/local/sf/lib/perl/5.10.1/SF/UI/Platinum/SidemenuAdapter.pm line 263.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.xxx.xxx.xxx/admin/https_cert.cgi

Output from 'openssl x509 -in cert.crt -text -noout':
- not working

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE

- working

X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE

Workaround/Solution

Upgrade to Firepower Version 6.2.3.4 or later in order to resolve the certificate issue for affected platforms.

In order to resolve the issue without an upgrade to the Firepower software, modify the certificate to include the "critical" extension for "Basic Constraints" settings prior to certificate deployment.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email
• By telephone

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.