Before beginning, please ensure that all certificates are ASCII (Base64) encoded.
To generate a Certificate Signing Request (CSR), complete the following steps.
- Log on to the CLI.
- To generate a CSR, run the following command: fmos pki gen-csr csrfile.csr --new-key keyname.key
Replace "csrfile.csr" and "keyname.key" with whatever names you want.
Note: To add a Subject Alternative Name (SAN) to the CSR (this will allow the customer to use alternative names using the same certificate), use the following syntax modified from the above:
fmos pki gen-csr fmos_identity.csr -K fmos-private.key -n host1.domain.com -n host2.domain.com -n 10.10.1.1
Where "-n" indicates an individual SAN entry, and "host1.domain.com" is the first SAN entry, "host2.domain.com" is the second SAN entry, and so on. Multiple SAN entries are permitted, to suit your organization's needs.
This process clearly creates two files, a certificate file to be signed by a Certificate Authority (CA) (the .csr file) as well as a public key (the .key file). These files provide the CA with the details it needs to sign the key. The .cer file represents the identity of the FMOS server and the .key is the FMOS server’s public key; which is used to provide unique instructions to the CA as to how to encrypt the .cer exclusively for the FireMon server (No other device will have the same public key, or the private key needed to decrypt the signed certificate.)
- When you run the command, it will ask you for a passphrase. You can leave this blank by pressing Enter to continue on without adding a passphrase, or if you wish you can set a passphrase. This will generate the CSR and key pair which you can take to the CA to get the cert created.
- Please make sure you get the complete chain as we need all certs from the Root CA to the generated device cert.
This is important. Certificate Authorities use their public key to sign the certificate, it and their identifying certificate were signed by an authority above them. This is called a certificate chain, at the top of which is the Root Authority. Root authorities, can directly sign identity certificates however most organizations use intermediate authorities to sign most certificates (so that they root can be secured). All certificates from the root through intermediates must be present on a server in order for its newly signed certificate to remain valid.
- Once you have the certs, switch back to the FireMon CLI and perform the following tasks:
- Import the root cert: fmos pki import-ca root.cer
Replace the "root.cer" with the actual file name.
- Import the device cert/key: fmos pki import-server-cert device.cer keyname.key
Replace "device.cer" and "keyname.key" with the actual file names.
- Reboot the server you are installing the certificate on by running fmos reboot.
For distributed environments (multiple FMOS servers), please ensure that the root certificate is present on both the Application Server, and any existing Data Collectors. Any Data Collectors you add in the future will already contain this information as part of the ecosystem join process.
FireMon can read multiple certs from one file, but if you have intermediate certs in a separate file, you need to include them using this command: fmos pki import-server-cert device.cer keyname.key --chain intermediate.cer. Replace all file names with the appropriate file name.
Please note that for multiple intermediary certificates we recommend combining these into one file. A .pem file typically works best for this task.
You can import the same signed cert you used for the application server (443) for your server control panel (55555) using this command: fmos pki import-cpl-cert device.cer