PDF(1.0 MB) View with Adobe Reader on a variety of devices
ePub(1.0 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(1.2 MB) View on Kindle device or Kindle app on multiple devices
Updated:July 29, 2020
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to troubleshoot and fix the "Identity certificate import required" error on Firepower Threat Defense (FTD) devices managed by Firepower Management Center (FMC).
Cisco recommends that you have knowledge of these topics:
Public Key Infrastructure (PKI)
The information used in the document is based on these software versions:
MacOS x 10.14.6
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Note: On FTD devices, the Certificate Authority (CA) certificate is needed before the Certificate Signing Request (CSR) is generated.
If the CSR is generated in an external server (such as Windows Server or OpenSSL), the manual enrollment method is intended to fail, since FTD does not support manual key enrollment. A different method must be used such as PKCS12.
A certificate is imported in the FMC and an error is received which states that an identity certificate is required to proceed with the certificate enrollment.
Manual enrollment is selected
CSR is generated externally (Windows Server, OpenSSL, etc) and you don't have (or know) the private key information
A previous CA cert is used to fill the CA cert information, but it is unknown if this cert is responsible for the certificate sign
Manual enrollment is selected
CSR is generated externally (Windows Server, OpenSSL)
You have the certificate file from the CA that signs our CSR
For both procedures, the certificate is uploaded and a progress indication is displayed as shown in the image.
After a couple of seconds, the FMC still states that an ID cert is required:
The previous error indicates that either the CA certificate does not match with the issuer information in the ID certificate or, the private key does not match with the one generated by default in the FTD.
In order to make this certificate enrollment to work, you must have the correspondent keys for the ID certificate. With the use of OpenSSL a PKCS12 file is generated.
Step 1. Generate a CSR (Optional)
You can get a CSR along with its private key with the use of a third-party tool called CSR generator (csrgenerator.com).
Once the certificate information is filled accordingly, select the option to Generate CSR.
This provides the CSR + Private key for us to send to a Certificate Authority:
Step 2. Sign the CSR
The CSR needs to be signed by a third-party CA (GoDaddy, DigiCert), once the CSR is signed, a zip file is provided, which contains among other things:
CA bundle (Intermediate certificate + root certificate)
Step 3. Verify and Separate the Certificates
Verify and separate the files with the use of a text editor (for example, notepad). Create the files with easily identifiable names for the private key (key.pem), identity certificate (ID.pem), CA certificate (CA.pem).
For the case in which the CA bundle file has more than 2 certificates (1 root CA, 1 sub-CA), the root CA needs to be removed, the ID certificate issuer is the sub-CA, therefore, it is not relevant to have the root CA in this scenario.
Content of the file named CA.pem:
Content of the file named key.pem:
Content of the file named ID.pem:
Step 4. Merge the Certificates in a PKCS12
Merge the CA certificate along with the ID Certificate and private key in a .pfx file. You must protect this file with a passphrase.