cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
10
Helpful
4
Replies

Generate a CSR form openssl

umahar
Cisco Employee
Cisco Employee

hi,

This is a general certificate question but I guess ISE community is the best place to answer it :D :D

I am trying to do an infoblox pxGrid with ISE. Infoblox does not have ability to generate a CSR with pxGrid template and CA folk is struggling to generate a cert without CSR (pkcs12 or pkcs8). Does it make sense to generate a csr via openssl, retain the private key, send the csr to CA and then bind the returned certificate in to pk12 and import it into infoblox ?

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee

have you checked any of the ise infloblox docs?

 

https://cisco-marketing.hosted.jivesoftware.com/docs/DOC-64012#jive_content_id_InfoBlox

 

Also copied @jeppich 

 

Thanks a lot Jason.

This is the exact document I was looking for. 

Unfortunately I was following the doc which uses internal ISE as the CA for this integration.

Maybe I can help.  I had a situation yesterday with an Aruba controller - I need to get an admin cert on this box, signed by our PKI.  This controller has the ability to create CSR, but it doesn't allow provision for SAN attributes. Stupid, right?  No problem to solve this with openssl and some elbow grease ;-)  The good news is that the controller allowed the admin cert to be imported as a single file.  Aha.  A PCKS12 file that contains the cert, the private key and any CA chain required. 

High level tasks

  • Create private key with openssl
  • Create a CSR with all the attributes you need (if you need SAN, then you need to create a config file)
  • Send the CSR to the PKI to create the cert.
  • Once you have the cert, you need to package cert+privkey into a PKCS12 file, password protected.

Here is a worked example in Linux openssl (just substitute the filenames and contents as appropriate)

I created a san.cnf file that contained the data I needed for SAN - if you don't need a SAN then ignore this

 

 

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = aruba7005
DNS.2   = aruba7005.mydomain.com
IP.1   = 192.168.1.2

 

 

Then I ran these commands

 

 

openssl genrsa -out aruba7005-key.pem 2048
openssl req -new -sha256 -key aruba7005-key.pem -out aruba7005-cert.csr -config san.cnf

 

 

Get the CSR processed by the CA.  In my case the certificate was called aruba7005-cert-with-san.pem

Then create the PKCS12 file as follows

 

 

openssl pkcs12 -export -out arubafinal.pfx -inkey aruba7005-key.pem -in aruba7005-cert-with-san.pem

 

The final resulting package is called arubafinal.pfx and this is password protected (the openssl will prompt for a password) - this is the file you should be able to import into your device.  The private key and the public cert/key will be installed.

 

 

 

Just curious, why aren't you using the ISE internal CA for pxGrid?  Makes the whole process of generating certs/private keys for pxGrid client much easier.  pxGrid is a special framework to pass information to and from ISE.  I haven't seen a good argument not to let the ISE CA control access to the pxGrid.