Solved: Re: Generate a CSR form openssl

umahar · ‎09-13-2018

hi,

This is a general certificate question but I guess ISE community is the best place to answer it :D :D

I am trying to do an infoblox pxGrid with ISE. Infoblox does not have ability to generate a CSR with pxGrid template and CA folk is struggling to generate a cert without CSR (pkcs12 or pkcs8). Does it make sense to generate a csr via openssl, retain the private key, send the csr to CA and then bind the returned certificate in to pk12 and import it into infoblox ?

Jason Kunst · ‎09-13-2018

have you checked any of the ise infloblox docs?

https://cisco-marketing.hosted.jivesoftware.com/docs/DOC-64012#jive_content_id_InfoBlox

Also copied @jeppich

View solution in original post

Jason Kunst · ‎09-13-2018

have you checked any of the ise infloblox docs?

https://cisco-marketing.hosted.jivesoftware.com/docs/DOC-64012#jive_content_id_InfoBlox

Also copied @jeppich

umahar · ‎09-13-2018

Thanks a lot Jason.

This is the exact document I was looking for.

Unfortunately I was following the doc which uses internal ISE as the CA for this integration.

Arne Bier · ‎09-13-2018

Maybe I can help. I had a situation yesterday with an Aruba controller - I need to get an admin cert on this box, signed by our PKI. This controller has the ability to create CSR, but it doesn't allow provision for SAN attributes. Stupid, right? No problem to solve this with openssl and some elbow grease ;-) The good news is that the controller allowed the admin cert to be imported as a single file. Aha. A PCKS12 file that contains the cert, the private key and any CA chain required.

High level tasks

Create private key with openssl
Create a CSR with all the attributes you need (if you need SAN, then you need to create a config file)
Send the CSR to the PKI to create the cert.
Once you have the cert, you need to package cert+privkey into a PKCS12 file, password protected.

Here is a worked example in Linux openssl (just substitute the filenames and contents as appropriate)

I created a san.cnf file that contained the data I needed for SAN - if you don't need a SAN then ignore this

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = aruba7005
DNS.2   = aruba7005.mydomain.com
IP.1   = 192.168.1.2

Then I ran these commands

openssl genrsa -out aruba7005-key.pem 2048
openssl req -new -sha256 -key aruba7005-key.pem -out aruba7005-cert.csr -config san.cnf

Get the CSR processed by the CA. In my case the certificate was called aruba7005-cert-with-san.pem

Then create the PKCS12 file as follows

openssl pkcs12 -export -out arubafinal.pfx -inkey aruba7005-key.pem -in aruba7005-cert-with-san.pem

The final resulting package is called arubafinal.pfx and this is password protected (the openssl will prompt for a password) - this is the file you should be able to import into your device. The private key and the public cert/key will be installed.

paul · ‎09-13-2018

Just curious, why aren't you using the ISE internal CA for pxGrid? Makes the whole process of generating certs/private keys for pxGrid client much easier. pxGrid is a special framework to pass information to and from ISE. I haven't seen a good argument not to let the ISE CA control access to the pxGrid.