Preview Tool

Cisco Bug: CSCvh89828 - FMC: Certificate Parameters (Cert Enrollment object) inputs should be validated

Last Modified

Apr 25, 2019

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases


Description (partial)

When creating a Cert Enrollment object (Objects > Object Management > PKI > Cert Enrollment > Add Cert Enrollment) you may enter any characters into the fields. There is not any kind of input validation nor hint indicating which characters are supported.

If you enter an special character like & (ampersand) this will be accepted (e.g. O = Cisco & Friends) and once you go to Devices > Certificates to associate this Cert Enrollment to a Device and click on Add, the certificate won't be installed and the following error message will be displayed: "Unable to deploy configuration on the device, please check the device connectivity"

Above error message is totally misleading. If 'pigtail deploy' is run on FTD on expert mode, we are going to be able to catch the following error:

        NGFW: 02-07 21:45:40 ccm[13057] Thread-9: ERROR Stacktrace 
	NGFW: 02-07 21:45:40 Error parsing document (line 15, col 97)
	NGFW: 02-07 21:45:40 org.xmlpull.v1.XmlPullParserException: entity reference names can not start with character ' ' (position: TEXT seen ...ificate will be: O=Cisco & ... @15:97)

FMC Certificate Parameters UI should give a hint and have an input validation mechanism to detect which characters are valid and which not .

This problem only happens when the Enrollment Type of the Cert Enrollment object is set to  Manual. 
Ampersand (&) character will be accepted if Enrollment Type is set to Self Signed Certificate or SCEP.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.