Symptom

A certificate intended for use with the web UI for a Firepower Management Center or Firepower 7000/8000 Series appliance where the certificate does not have enabled the "critical" extension for "Basic Constraints" will fail to import into the appliance, resulting in the following error message: Unable to install certificate In /var/log/httpd/httpsd_error_log errors are seen: [Tue Oct 10 08:49:37.500627 2017] [cgi:error] [pid 31306] [client 10.229.22.134:50398] AH01215: Unable to verify certificates at /usr/local/sf/lib/perl/5.10.1/SF/X509Certificates.pm line 143.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.122.144.200/admin/https_cert.cgi [Tue Oct 10 08:49:37.500695 2017] [cgi:error] [pid 31306] [client 10.229.22.134:50398] AH01215: No such file or directory:/etc/sf/crl.conf at /usr/local/sf/lib/perl/5.10.1/SF/X509Certificates.pm line 907.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.122.144.200/admin/https_cert.cgi [Tue Oct 10 08:49:37.500738 2017] [cgi:error] [pid 31306] [client 10.229.22.134:50398] AH01215: (Unable to install certificate.) in /usr/local/sf/htdocs/admin/https_cert.cgi:168 at /usr/local/sf/lib/perl/5.10.1/SF.pm line 120.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.122.144.200/admin/https_cert.cgi [Tue Oct 10 08:49:39.271384 2017] [cgi:error] [pid 31306] [client 10.229.22.134:50398] AH01215: SFDB -- SF::UI::Platinum::SidemenuAdapter::drawMenu at /usr/local/sf/lib/perl/5.10.1/SF/UI/Platinum/SidemenuAdapter.pm line 263.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://10.122.144.200/admin/https_cert.cgi Output from 'openssl x509 -in cert.crt -text -noout': - not working X509v3 extensions: X509v3 Basic Constraints: CA:FALSE - working X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE

Conditions

The use of the web UI on a Firepower Management Center or Firepower 7000/8000 Series appliance. The certificate not having enabled the "critical" extension for "Basic Constraints." The full certificate chain being available on the appliance.

Workaround

**To note, the fix versions for this defect do not change the requirement for the Basic Constraints extension to be configured as "CA:FALSE, critical". The error messaging one receives on the fix versions for this defect has been improved to note this, rather than the generic "Import failed" message seen previously. See documentation enhancement request here for reference - CSCvk59334 ** _____________________ Reissue the certificate, and ensure that the "critical" extension for "Basic Constraints" has been included. *or* Contact Cisco TAC for a workaround procedure for manually replacing the certificate on the back end of the appliance

Further Problem Description