HTTPS Server Certificate Requirements
When you use HTTPS certificates to secure the connection between your web browser and the Firepower appliance web interface, you must use certificates that comply with the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 5280). When you import a server certificate to the appliance, the system rejects the certificate if it does not comply with version 3 (X.509 v3) of that standard.
Before importing an HTTPS server certificate, be certain it includes the following fields:
|
Certificate Field |
Description |
|---|---|
|
Version |
Version of the encoded
certificate. Use version |
|
Serial number |
A positive integer assigned to the certificate by the issuing CA. Issuer and serial number together uniquely identify the certificate. See RFC 5280, section 4.1.2.2. |
|
Signature |
Identifier for the algorithm used by the CA to sign the certificate. Must match the signatureAlgorithm field. See RFC 5280, section 4.1.2.3. |
|
Issuer |
Identifies the entity that signed and issued the certificate. See RFC 5280, section 4.1.2.4. |
|
Validity |
Interval during which the CA warrants that it will maintain information about the status of the certificate. See RFC 5280, section 4.1.2.5. |
|
Subject |
Identifies the entitity associated with the public key stored in the subject public key field; must be an X.500 disinguished name (DN). See RFC 5280, section 4.1.2.6. |
|
Subject Alternative Name |
Domain names and IP addresses secured by the certificate. Subject Alternative Name is defined in section RFC 5280, section 4.2.1.6. We recommend you use this field if the certificate is used for multiple domains or IP addresses. |
|
Subject Public Key Info |
Public key and an identifier for its algorithm. See RFC 5280, section 4.1.2.7. |
|
Authority Key Identifier |
Provides a means of identifying the public key corresponding to the private key used to sign a certificate. See RFC 5280, section 4.2.1.1. |
|
Subject Key Identifier |
Provides a means of identifying certificates that contain a particular public key. See RFC 5280, section 4.2.1.2. |
|
Key Usage |
Defines the purpose of the key contained in the certificates. See RFC 5280, section 4.2.1.3. |
|
Basic Constraints |
Identifies whether the certificate Subject is a
CA, and the maximum depth of validation
certification paths that include this certificate.
See RFC 5280, section
4.2.1.9. For server certificates used in
Firepower appliances, use |
|
Basic Constraints |
Identifies whether the certificate Subject is a
CA, and the maximum depth of validation
certification paths that include this certificate.
See RFC 5280, section
4.2.1.9. This field is not strictly
required for server certificates used in Firepower
appliances, but we strongly recommend including
this field and specifying |
|
Extended Key Usage extension |
Indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the Key Usage extension. See RFC 5280, section 4.2.1.12. Be certain you import certificates that can be used as server certificates. |
|
signatureAlgorithm |
Identifier for the algorithm the CA used to sign the certificate. Must match the Signature field. See RFC 5280, section 4.1.1.2. |
|
signatureValue |
Digital signature. See RFC 5280, section 4.1.1.3. |