Certificate Signing Request

To eliminate browser security exception and privacy warnings and ensure all traffic is encrypted, you will create a certificate signing request (CSR).

This process creates two files, a certificate file to be signed by a certificate authority (CA)—the .csr file—and a public key—the .key file. These files provide the CA with the details needed to sign the key. The .csr file represents the identity of the FMOS server and the .key file is the server’s public key; which is used to provide unique instructions to the CA as to how to encrypt the .csr exclusively for the FMOS server. No other device will have the same public key, or the private key needed to decrypt the signed certificate.

You can create a CSR and a public key for your server one of two ways: use OpenSSL or an FMOS CLI command.

Create CSR using OpenSSL

To use OpenSSL, use a similar command as exampled below to create the CSR:

openssl req -new -newkey rsa:4096 -nodes -out fmosServerIdentity.csr -keyout fmosServerPublicKey.key

The file names <fmosServerIdentity> and <fmosServerPublicKey> can be set to your company's approved file naming convention.

Create CSR using FMOS CLI

To use the FMOS CLI, complete the following steps.

  1. Log in to the FMOS server with both an SSH and SCP/SFTP client. Unless you're comfortable using Linux commands for copying files off and on to the FMOS server.

  2. Run the command:

fmos pki gen-csr fmosServerIdentity.csr --new-key fmosServerPublicKey.key

The file names <fmosServerIdentity> and <fmosServerPublicKey> can be set to your company's approved file naming convention.

Or you can use alternative names to access the system using the same certificate by adding a subject alternative name (SAN) to the CSR. To do so run the command:

fmos pki gen-csr fmos_identity.csr -K fmos-public.key -n host1.domain.com -n host2.domain.com 10.10.1.1 -n

Where <-n> indicates an individual SAN entry, and <host1.domain.com> is the first SAN entry, <host2.domain.com> is the second SAN entry, and so on. Multiple SAN entries are permitted, to suit your organization's needs.

  1. When you run the fmos pki command, you will be prompted to enter a passphrase. You can leave this blank by pressing Enter to continue on without adding a passphrase, or if you can set a passphrase.

    If you set a passphrase, you must supply it to the CA to have it signed.

  2. Take both files to your company’s certificate authority to have them signed. Follow your company’s procedure for presenting the CSR and public key to your CA.

  3. When you make the request to have the CSR signed, ensure that the complete certificate chain is there as all certificates from the Root CA to the server CSR need to be included in the export process.

    For multiple intermediary certificates it is recommended to combine these into one file. A .pem file typically works best for this task. Choose Base64 encoding.

Certificate authorities use their public key to sign the certificate, it and their identifying certificate were signed by an authority above them. This is called a certificate chain, at the top of which is the Root Authority. Root authorities can directly sign identity certificates however most organizations use intermediate authorities to sign most certificates (so that the root can be secured). All certificates from the root through intermediates must be present on a server in order for its newly signed certificate to remain valid.

  1. Once you have the certificates, you will need to move them to the FMOS server using WinSCP or another file transfer tool and then switch back to the FireMon CLI and perform the following tasks in order.

  2. Import the root certificate using the command:

    fmos pki import-ca root.cer

    Replace <root.cer> with the actual file name.

  1. Import the device certificate and key (optionally, include intermediate certificates with these commands):

    fmos pki import-server-cert device.cer keyname.key

    fmos pki import-server-cert device.cer keyname.key --chain intermediate.cer

    Replacing <device.cer> and <keyname.key> with the actual file name.

  1. Optionally, you can import the same signed certificate used for the application server for the FMOS Control Panel (https://fmosServerIP:55555) using this command: fmos pki import-cpl-cert device.cer

  2. Reboot the server you are installing the certificates on. A reboot is required.