Important: This KB is only for FireMon Self-Signed certificates.
Below is how a FireMon self-signed issuer certificate string will look, when running the "fmos pki show-cpl-cert" command on the CLI.
Issuer: /O=firemon/OU=FM/CN=FMOS Ecosystem Server CA S1
If the issuer shows a different string than above then the certificate is signed by a third-party Certificate Authority. Please follow the KB link below if your certificate is issued by a third-party Certificate Authority.
Please note that having an expired Data Collector Server Control Panel certificate will not impact performance, but will warn users when browsing to the DC's Server Control Panel (https://DCfqdn:55555. Data Collectors and Database servers do not use a "Server" certificate, as they are not accessible over HTTP/HTTPS.
For new installs, the default server certificate is now issued by the FMOS Ecosystem CA, specifically the FMOS Ecosystem Server CA S1 issuing CA. In other words, the FireMon Database server is the issuing Certificate Authority (CA) for all FireMon self-signed certificates. If certificates are signed by an external Certificate Authority (CA), FireMon will not renew those certificates at the expiration date.
When certificates are signed by the FMOS CA, certificates can be regenerated/signed internally. When FMOS signed certificates expire, a new Certificate Signing Request (CSR) is required for the Server Control Panel certificate on the Data Collector. Once the CSR is signed by the internal CA (Database Server), the certificate can be applied to the Server Control Panel (SCP) certificate.
The Data Collector certificate renewal process includes the Server Control Panel certificate, and the FMOS Root CA cert from the Database Server.
To generate a new CSR on the Data Collector server
fmos pki gen-csr -K server.key server.csr
*For passphrase, hit "enter" twice.
You will now transfer the CSR to the Database Server to be signed.
scp server.csr username@serverFQDN:/var/tmp
To sign the CSR on the Database server:
fmos ca sign server.csr server.cer
To export the CA cert from the DB:
fmos ca export-ca-cert --ca root fmosca.crt
*This is the root certificate
To export the chain/intermediate certificate from the Database server after signing the CSR:
fmos ca export-ca-cert --ca server fmosinter.crt
From the /var/tmp directory on the Database Server, scp the root, server, and intermediate certificate files from the Database server to the Data Collector. *If you are regenerating the SCP cert for the DataBase server, you will skip this process and the CA role is already on the Database server (only import the SCP cert for Database servers for internally signed certs).
scp fmosca.crt server.cer fmosinter.crt username@serverFQDN:/var/tmp
On the Data Collector:
fmos pki import-cpl-cert server.cer server.key --chain server-chain.crt
fmos pki import-ca fmosca.crt
*On average, depending on the server, this will take about 2-5 minutes
for the reboot to complete.
Please sign in to leave a comment.