topic Re: Generate a CSR form openssl in Network Access Control

Generate a CSR form openssl

umahar — Thu, 13 Sep 2018 16:48:15 GMT

hi,

This is a general certificate question but I guess ISE community is the best place to answer it 😄 😄

I am trying to do an infoblox pxGrid with ISE. Infoblox does not have ability to generate a CSR with pxGrid template and CA folk is struggling to generate a cert without CSR (pkcs12 or pkcs8). Does it make sense to generate a csr via openssl, retain the private key, send the csr to CA and then bind the returned certificate in to pk12 and import it into infoblox ?

Re: Generate a CSR form openssl

Jason Kunst — Thu, 13 Sep 2018 18:16:43 GMT

have you checked any of the ise infloblox docs?

https://cisco-marketing.hosted.jivesoftware.com/docs/DOC-64012#jive_content_id_InfoBlox

Also copied @jeppich

Re: Generate a CSR form openssl

umahar — Thu, 13 Sep 2018 18:58:45 GMT

Thanks a lot Jason.

This is the exact document I was looking for.

Unfortunately I was following the doc which uses internal ISE as the CA for this integration.

Re: Generate a CSR form openssl

Arne Bier — Thu, 13 Sep 2018 23:22:06 GMT

Maybe I can help. I had a situation yesterday with an Aruba controller - I need to get an admin cert on this box, signed by our PKI. This controller has the ability to create CSR, but it doesn't allow provision for SAN attributes. Stupid, right? No problem to solve this with openssl and some elbow grease 😉 The good news is that the controller allowed the admin cert to be imported as a single file. Aha. A PCKS12 file that contains the cert, the private key and any CA chain required.

High level tasks

Create private key with openssl
Create a CSR with all the attributes you need (if you need SAN, then you need to create a config file)
Send the CSR to the PKI to create the cert.
Once you have the cert, you need to package cert+privkey into a PKCS12 file, password protected.

Here is a worked example in Linux openssl (just substitute the filenames and contents as appropriate)

I created a san.cnf file that contained the data I needed for SAN - if you don't need a SAN then ignore this

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = aruba7005
DNS.2   = aruba7005.mydomain.com
IP.1   = 192.168.1.2

Then I ran these commands

openssl genrsa -out aruba7005-key.pem 2048
openssl req -new -sha256 -key aruba7005-key.pem -out aruba7005-cert.csr -config san.cnf

Get the CSR processed by the CA. In my case the certificate was called aruba7005-cert-with-san.pem

Then create the PKCS12 file as follows

openssl pkcs12 -export -out arubafinal.pfx -inkey aruba7005-key.pem -in aruba7005-cert-with-san.pem

The final resulting package is called arubafinal.pfx and this is password protected (the openssl will prompt for a password) - this is the file you should be able to import into your device. The private key and the public cert/key will be installed.

Re: Generate a CSR form openssl

paul — Fri, 14 Sep 2018 01:52:29 GMT

Just curious, why aren't you using the ISE internal CA for pxGrid? Makes the whole process of generating certs/private keys for pxGrid client much easier. pxGrid is a special framework to pass information to and from ISE. I haven't seen a good argument not to let the ISE CA control access to the pxGrid.