Overview

Sectigo Connector for Cisco Firepower Threat Defense ("the connector") is a certificate management solution developed to automate lifecycle management of SSL/TLS certificates for Cisco Firepower Threat Defense (FTD), to secure communication between external clients and applications behind the firewall.

The certificate lifecycle management (CLM) is handled by Sectigo SDK for Python which communicates with the Sectigo backend server through the SCM enrollment API to request and renew SSL/TLS certificates and import them into the certificate management area of Cisco Firepower Device Manager (FDM), a web-based configuration interface included on the FTD devices. The certificate management on FDM is achieved using the FDM REST API.

The connector can obtain the following types of SSL/TLS certificates from Sectigo and Sectigo-supported third-party CAs:

  • Domain Validation (DV) certificates

  • Organization Validation (OV) certificates

  • Extended Validation (EV) certificates

The following key types are supported: RSA-2048, RSA-3072, and RSA-4096.

Audience

This guide is intended for IT administrators and network administrators who manage Cisco FTD and FDM.

Scope

This guide contains instructions for enrolling and managing Sectigo certificates on Cisco FTD. It does not cover configuration of FTD or FDM.

Architecture

The connector is developed using the SCM SDK for Python. The SDK uses the SCM REST API to securely authenticate and communicate with the Sectigo backend for certificate management.

Sectigo Cisco FTD Architecture

Package contents

To get the latest version of the Connector, contact your account manager or Sectigo Support.

The package contains the following components:

  • config: this directory contains the following configuration files:

    • cert_profile.yaml: the certificate profile file.

    • cisco_profile.yaml : the cisco credentials file.

    • scm.yaml: the SCM credentials file.

  • sectigo_sdk: this package contains the source files for enrolling certificates via the SCM Enrollment REST API.

  • third_party: this package contains source files for uploading and renewing certificates via the Cisco REST API.

  • .py: the Python source files in their respective directories.

  • requirements.txt: this file contains a list of Python dependencies.

Execution workflow

The connector is triggered manually or automatically through a cronjob. You specify which operation will be performed by the connector and, optionally, define the certificate profile name when the target is a specific certificate profile. The available operations include enrollment, renewal, encryption, and decryption.

The connector performs the following actions during execution:

  1. Loads its configuration from the YAML files stored in the config directory. The connector reads information from the config file, such as log level, the path for saving the log file and the file name. The connector reads SCM credentials defined in the certificate profile from scm.yaml in the config folder.

  2. Reads the certificates and firewall profile files. Each certificate profile describes a unique certificate that can be DV, OV, or EV. The certificate profile file contains all the information related to the certificate, including domains, SANs, key type and size, and the target Cisco FTD name. The Cisco profile contains information related to the Cisco FTD instance, such as the username, password and URL or IP address.

  3. Sends a request to the Cisco FTD REST API to check whether a certificate named as the certificate profile already exists. If the certificate doesn’t exist, or is expired or revoked, the connector generates a CSR with the certificate information. The connector creates an asymmetric key pair with the key type and size defined in the certificate profile, then creates a CSR using the public key and signs it with the private key. The private key isn’t exposed to the outside world—it is kept in memory and deleted when the enrollment process is finished.

  4. Submits a CSR to the Sectigo CA (Public or Private CA) which issues an SSL/TLS certificate based on the information in the CSR. The connector downloads the certificate chain.

  5. If the ssl_policy parameter is set in the certificate profile and exists, the connector will add the enrolled certificate to the SSL Decryption Policy.

  6. Saves the certificate ID in the id_list.txt file, imports the downloaded certificate chain into Cisco FTD, and deploys the changes.

  7. Writes the main events that occur during enrollment or renewal of a certificate into the log file.