08-06-2020 01:19 AM
Hello,
I'm wondering which private key does ISE use for CSR generation?
In my case it is ISE 2.4, I generated a new multi-use CSR for my cluster (see Image)
CSR generation
It works fine, but which private key used ISE for CSR generation? I exported all system certificates with private keys and compared the public part of them. Not a single match!
system certificates
openssl pkey -in node1-private.key -pubout -outform pem | sha256sum de63c029765da26708a971ca7501700ec986e4dc26df5474777eef512e36bd06 - openssl pkey -in SAML-private.key -pubout -outform pem | sha256sum fd363d2ae68da8bc9a7ccac2cffa3c9b3a9773b68d7d3e83d266d0f66a454eb3 - openssl req -in ClusterName.csr -pubkey -noout -outform pem | sha256sum 3d92ffc0d44cfcb8086e8432f0280b2d0c0ce6d4cc52bb723a3101d8a406129b -
have some one any idea, which private key does ISE use for CSR generation?
Thanks
Solved! Go to Solution.
08-06-2020 03:57 PM
I'm not sure I understand the question. You're asking about what private key ISE uses for the CSR, but you also mention that you exported the private key. The private key you exported would be the private key used to generate the CSR for that particular certificate.
If you're trying to find a single private key that is used to generate all CSRs, I don't think you'll find one. For security reasons, I would expect ISE would generate a new unique private key for each CSR, so each certificate would have a unique key. Otherwise, if someone compromised the private key for one cert, all certificates on the box would be compromised.
08-06-2020 03:57 PM
I'm not sure I understand the question. You're asking about what private key ISE uses for the CSR, but you also mention that you exported the private key. The private key you exported would be the private key used to generate the CSR for that particular certificate.
If you're trying to find a single private key that is used to generate all CSRs, I don't think you'll find one. For security reasons, I would expect ISE would generate a new unique private key for each CSR, so each certificate would have a unique key. Otherwise, if someone compromised the private key for one cert, all certificates on the box would be compromised.
08-07-2020 03:43 AM
Thank you for the explanation. So the ISE will create a new private key and I won't be able to see it, before I add the new certificate.
In the end, you have to believe, that ISE does it the right way and if something goes wrong, you can just throw away the new signed certificate. This happened to m last time, ISE didn't accepted new certificate because of key mismatch - don't ask me, how it is possible, but i didn't have any choice but to order a new one.
08-09-2020 02:53 AM
When you create a CSR within the ISE GUI, the system does two things
1) Creates a public/prive key pair and stores the private key in a place that you don't need to know/care about. It's what you would do with openssl or similar tools that create key pairs.
2) It creates the CSR and exports it via the GUI to allow you to have the CSR signed by an external CA - the private key never leaves the ISE node.
When you export a system cert in ISE then you are given the option to export the private key - that's the only mechanism you have to ever get hold of the private key.
BTW, you don't need to create the CSR in ISE for the purpose of System Cert generation. You can do everything out of band (e.g. openssl) and then import the finished cert and private key into ISE. This of course implies that the private key originated on another system (e.g. a unix server) and then it got bundled into a file that you imported into ISE. Some people freak out over that thought because the private key should only live in ISE. But I think by now you get the point. A Private key is just a file that HAS to exist somewhere. And for ultimate security, the private key SHOULD reside only on the system that uses that private key to encrypt the traffic that it sends. If the private key resides outside of the system that it it intended for, then it's either an oversight (human error) or a hack attack :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide