Cisco FTD Manual Certificate Installation when Managed by FDM

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Applause] [Music] in this video we're going to take a look at how to manually sign an ftd device using the cli and open ssl the purpose of this is to sign our ftd device with a trusted local seer in this demonstration we'll be using an ftd device which is locally managed using firepower device manager or fdm so just quickly if we take a look now at the certificate we can see that we're using a self-signed certificate currently which has been signed by the device itself so certificate path is literally just its own certificate so what we want to do is want to generate a certificate signing request for this device and get it signed by a local trusted ca so with access to the cli you want to go into expert mode and then elevate your privileges with sudo su and change directory to etc ssl and then what we want to do is we want to generate a private key and a csr so to do do that we'll do open ssl request new new key rsa we're going to use 2048 bit get the key and then we're going to call our private key file private dot key and then we're going to call our csr the hostname of this device dot csr so we'll just generate that and now what we have here is a output telling us it's going to write the private key to private.key as we specified and now we need to enter some information for the certificate so i'll enter the details that are relevant to myself yours may be different but for the purpose of this demonstration i'll just quickly go through this fqdn our common name will be the device hostnames ftd leave the email address we'll just give it a quick password for the purpose of the demonstration and we should be done so now what we see if we do a ls on the directory we can see now that we've got our csr and we also have our private key the private key you want to keep safe and only visible to yourself don't do not share that private key now we want to copy the csr so that we can get it signed by the ca in this demonstration i'll be using windows server ca to generate that certificate so if we just do a cut and if we just copy this request if i just do srv [Music] it's not wet there we go and then what we want to do is we want to request a certificate if you're using microsoft active directory certificate services and then we go to advanced certificate request input or copy the output of the csr we'll change this to web server and then we'll just submit that and what we'll do is we'll download the base64 encoded download that and if we just open that we can see now that we have a certificate that's been issued by our local ca in this case now what we want to do is if we open up this with notepad or notepad plus plus we'll take the contents or the certificate from that go over to our ftd and this is using the local manager so we'll log in to this and then we want to go to objects certificate or certificates rather and then we want to add internal certificate and then we select upload certificate and key we'll give it a name so i'm just going to give it a name suitable for me and then what we'll do is with that notepad will copy the contents so the first part we are uploading the certificate from that's been signed and then the second part we're going to upload the key so this is a private key that we created earlier so i'll just copy this but it will not be shown on this video and then once you're done we just press ok and then we should be able to find our certificate so we can see it there and we can see there that all the contents are correct and that's essentially how you create a certificate that's been signed by a local trusted ca and add this to fdm or firepower device manager now if we want to use that as the default web server certificate what we do here is we would replace the one that's currently in use as we can see and it gives us a warning here basically just saying if we make the changes we lose connection to the fdm while the new certificate is uh replaced so then what we would do then is essentially we would add the same details in so if i just go back to this copy that and then again i'll add the key which won't be displayed on this video now once the services have restarted we should be able to verify the new certificate on the firepower device manager now if we just click certificates we can see here that we have a new certificate that's been issued to this device and it's been issued by our law called trusted ca so that's all there is to it that's how you add certificates manually to ftd with [Music] fdm [Applause] you
Info
Channel: Network Wiizkiid
Views: 870
Rating: undefined out of 5
Keywords: Network Wizkid, Security, CCNP, CCNA, CCIE, CCIE Security, Cisco, Labs, Cisco Labs, Cisco Firepower, FDM, Firepower Device Manager, FTD CSR, FTD Certificate Signing Request, FDM Certificate, Manual Certificate Installation FTD, FTD managed locally, PKI, FTD PKI, Firepower PKI, Firepower CSR
Id: Exo6HW9c8h0
Channel Id: undefined
Length: 9min 56sec (596 seconds)
Published: Wed May 05 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.