Articles in this section

See more

Generating a CSR for Self-Signed FMOS Certificates for the Data Collector

Avatar
Permanently deleted user
  • Updated
Follow

Important: This KB is only for FireMon Self-Signed certificates.

Below is how a FireMon self-signed issuer certificate string will look, when running the "fmos pki show-cpl-cert" command on the CLI.

Issuer: /O=firemon/OU=FM/CN=FMOS Ecosystem Server CA S1

If the issuer shows a different string than above then the certificate is signed by a third-party Certificate Authority. Please follow the KB link below if your certificate is issued by a third-party Certificate Authority.

https://supportcenter.firemon.com/hc/en-us/articles/360004103494-Generating-CSR-Importing-Server-HTTPS-Certificate- 

 

 

Please note that having an expired Data Collector Server Control Panel certificate will not impact performance, but will warn users when browsing to the DC's Server Control Panel (https://DCfqdn:55555. Data Collectors and Database servers do not use a "Server" certificate, as they are not accessible over HTTP/HTTPS.

 

For new installs, the default server certificate is now issued by the FMOS Ecosystem CA, specifically the FMOS Ecosystem Server CA S1 issuing CA. In other words, the FireMon Database server is the issuing Certificate Authority (CA) for all FireMon self-signed certificates. If certificates are signed by an external Certificate Authority (CA), FireMon will not renew those certificates at the expiration date.

When certificates are signed by the FMOS CA, certificates can be regenerated/signed internally. When FMOS signed certificates expire, a new Certificate Signing Request (CSR) is required for the Server Control Panel certificate on the Data Collector. Once the CSR is signed by the internal CA (Database Server), the certificate can be applied to the Server Control Panel (SCP) certificate.

 

The Data Collector certificate renewal process includes the Server Control Panel certificate, and the FMOS Root CA cert from the Database Server.

 

To generate a new CSR on the Data Collector server

fmos pki gen-csr -K server.key server.csr

AS_cert_signing.png
*For passphrase, hit "enter" twice.

You will now transfer the CSR to the Database Server to be signed.

scp server.csr username@serverFQDN:/var/tmp
scp_cert.png

To sign the CSR on the Database server:

fmos ca sign server.csr server.cer
sign_csr.png

To export the CA cert from the DB:

fmos ca export-ca-cert --ca root fmosca.crt
export_ca.png
*This is the root certificate

To export the chain/intermediate certificate from the Database server after signing the CSR:

fmos ca export-ca-cert --ca server fmosinter.crt
export_fmosinter.png

From the /var/tmp directory on the Database Server, scp the root, server, and intermediate certificate files from the Database server to the Data Collector. *If you are regenerating the SCP cert for the DataBase server, you will skip this process and the CA role is already on the Database server (only import the SCP cert for Database servers for internally signed certs).

scp fmosca.crt server.cer fmosinter.crt username@serverFQDN:/var/tmp
scp_all_certs.png

On the Data Collector:

fmos pki import-cpl-cert server.cer server.key --chain server-chain.crt
import_cpl.png

fmos pki import-ca fmosca.crt
import_ca.png

 

At this time, we need to reboot the server that the new certificates were imported into. We will do this by using the following fmos command:

fmos reboot
reboot.png
*On average, depending on the server, this will take about 2-5 minutes
for the reboot to complete.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.