Important: This KB is only for FireMon Self-signed certificates.
Below is how a FireMon self-signed issuer certificate string will look when running the "fmos pki show-server-cert" command on the CLI.
Issuer: /O=firemon/OU=FM/CN=FMOS Ecosystem Server CA S1
If the issuer shows a different string than above then the certificate is signed by a third-party Certificate Authority. Please follow the KB link below if your certificate is issued by a third-party Certificate Authority.
For new installs, the default server certificate is now issued by the FMOS Ecosystem CA (Certificate Authority), specifically the FMOS Ecosystem Server CA S1 issuing CA. In other words, the FireMon Database server is the issuing Certificate Authority (CA) for all FireMon self-signed certificates. If certificates are signed by an external Certificate Authority (CA), FireMon will not renew those certificates upon expiration.
When certificates are signed by the FMOS CA, certificates can be regenerated/signed internally. When self-signed certificates expire, a new Certificate Signing Request (CSR) is required for the server which holds the Application Server (AS) roles. Once the CSR is signed by the internal CA, the certificate can be applied to the server and Server Control Panel (SCP) certificates. A CSR can also be generated on additional servers with roles other than AS and the subsequent certificate can be applied to the SCP certificate for those additional servers.
On the Application Server:
fmos pki gen-csr -K server.key server.csr
*For passphrase, hit "enter" twice.
If the AS machine does not hold the CA role (not an AS/DB), copy the generated server.csr to the DB server.
To determine if the AS (or any FMOS server) holds the CA role, execute:
An AS holding the CA role will output, among other details, "CA_ROLE=1" after running the command above.
scp server.csr username@serverFQDN:/var/tmp
On the DB (CA):
fmos ca sign server.csr server.cer
fmos ca export-ca-cert --ca root fmosca.crt
*This is the root certificate
fmos ca export-ca-cert --ca server fmosinter.crt
From the /var/tmp directory on the Database Server, scp the root, server, and intermediate certificate files from the Database server to the Application server.
scp fmosca.crt server.cer fmosinter.crt username@serverFQDN:/var/tmp
On the AS:
fmos pki import-server-cert server.cer server.key --chain fmosinter.crt
fmos pki import-cpl-cert server.cer server.key --chain fmosinter.crt
fmos pki import-ca fmosca.crt
*On average, depending on the server, this will take about 2-5 minutes
for the reboot to complete.
Please sign in to leave a comment.