Articles in this section

See more

Generating a CSR for Self-Signed FMOS Certificates for the Application Server

Avatar
Permanently deleted user
  • Updated
Follow

Important: This KB is only for FireMon Self-signed certificates.

Below is how a FireMon self-signed issuer certificate string will look when running the "fmos pki show-server-cert" command on the CLI.

Issuer: /O=firemon/OU=FM/CN=FMOS Ecosystem Server CA S1

If the issuer shows a different string than above then the certificate is signed by a third-party Certificate Authority. Please follow the KB link below if your certificate is issued by a third-party Certificate Authority.

https://supportcenter.firemon.com/hc/en-us/articles/360004103494-Generating-CSR-Importing-Server-HTTPS-Certificate- 

 

For new installs, the default server certificate is now issued by the FMOS Ecosystem CA (Certificate Authority), specifically the FMOS Ecosystem Server CA S1 issuing CA. In other words, the FireMon Database server is the issuing Certificate Authority (CA) for all FireMon self-signed certificates. If certificates are signed by an external Certificate Authority (CA), FireMon will not renew those certificates upon expiration.

When certificates are signed by the FMOS CA, certificates can be regenerated/signed internally. When self-signed certificates expire, a new Certificate Signing Request (CSR) is required for the server which holds the Application Server (AS) roles. Once the CSR is signed by the internal CA, the certificate can be applied to the server and Server Control Panel (SCP) certificates. A CSR can also be generated on additional servers with roles other than AS and the subsequent certificate can be applied to the SCP certificate for those additional servers.

 

On the Application Server:

fmos pki gen-csr -K server.key server.csr

AS_cert_signing.png
*For passphrase, hit "enter" twice.

If the AS machine does not hold the CA role (not an AS/DB), copy the generated server.csr to the DB server.
    To determine if the AS (or any FMOS server) holds the CA role, execute:

     more /etc/firemon/fm_roles

    An AS holding the CA role will output, among other details, "CA_ROLE=1" after running the command above.

scp server.csr username@serverFQDN:/var/tmp

scp_cert.png

On the DB (CA):

fmos ca sign server.csr server.cer
sign_csr.png

fmos ca export-ca-cert --ca root fmosca.crt
export_ca.png
*This is the root certificate

fmos ca export-ca-cert --ca server fmosinter.crt
export_fmosinter.png

From the /var/tmp directory on the Database Server, scp the root, server, and intermediate certificate files from the Database server to the Application server.

scp fmosca.crt server.cer fmosinter.crt username@serverFQDN:/var/tmp
scp_all_certs.png

On the AS:

fmos pki import-server-cert server.cer server.key --chain fmosinter.crt
import_cert.png

fmos pki import-cpl-cert server.cer server.key --chain fmosinter.crt
import_cpl.png

fmos pki import-ca fmosca.crt
import_ca.png
At this time, we need to reboot the server that the new certificates were imported into. We will do this by using the following fmos command:

fmos reboot
reboot.png
*On average, depending on the server, this will take about 2-5 minutes
for the reboot to complete.

Related articles

Comments

0 comments

Please sign in to leave a comment.