Importing HTTPS Server Certificates

If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also supply a certificate chain (or certificate path).

If you require client certificates, accessing an appliance via the web interface will fail when the server certificate does not meet either of the following criteria:

The certificate is signed by the same CA that signed the client certificate.
The certificate is signed by a CA that has signed an intermediate certificate in the certificate chain.

Caution

The Cisco Defense Orchestrator supports 4096-bit HTTPS certificates. If the certificate used by the Cisco Defense Orchestrator was generated using a public server key larger than 4096 bits, you will not be able to log in to the CDO web interface. For more information about updating HTTPS Certificates to Version 6.0.0, see "Update Management Center HTTPS Certificates to Version 6.0" in Firepower System Release Notes, Version 6.0. If you generate or import an HTTPS Certificate and cannot log in to the CDO web interface, contact Support.

Before you begin

Generate a certificate signing request; see Generating an HTTPS Server Certificate Signing Request.
Upload the CSR file to the certificate authority where you want to request a certificate, or use the CSR to create a self-signed certificate.
Confirm that the certificate meets the requirements described in HTTPS Server Certificate Requirements.

Procedure

Step 1	Choose System () > Configuration.
Step 2	Click HTTPS Certificate.
Step 3	Click Import HTTPS Server Certificate.
Step 4	Open the server certificate in a text editor, copy the entire block of text, including the `BEGIN CERTIFICATE` and `END CERTIFICATE` lines. Paste this text into the Server Certificate field.
Step 5	Whether you must supply a Private Key depends on how you generated the Certificate Signing Request: If you generated the Certificate Signing Request using the Cisco Defense Orchestrator web interface (as described in Generating an HTTPS Server Certificate Signing Request), the system already has the private key and you need not enter one here. If you generated the Certificate Signing Request using some other means, you must supply the private key here. Open the private key file and copy the entire block of text, include the `BEGIN RSA PRIVATE KEY` and `END RSA PRIVATE KEY` lines. Paste this text into the Private Key field.
Step 6	Open any required intermediate certificates, copy the entire block of text for each, and paste it into the Certificate Chain field. If you received a root certificate, paste it here. If you received an intermediate certificate, paste it below the root certificate. In both cases, copy the entire block of text, including the `BEGIN CERTIFICATE` and `END CERTIFICATE` lines.
Step 7	Click Save.