cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8443
Views
6
Helpful
3
Replies

generate CSR on ISE

Thomas Schmitt
Level 1
Level 1

Hello,

I'm wondering which private key does ISE use for CSR generation?

In my case it is ISE 2.4, I generated a new multi-use CSR for my cluster (see Image)

CSR generationCSR generation

It works fine, but which private key used ISE for CSR generation? I exported all system certificates with private keys and compared the public part of them. Not a single match!

system certificatessystem certificates

openssl pkey -in node1-private.key -pubout -outform pem | sha256sum
de63c029765da26708a971ca7501700ec986e4dc26df5474777eef512e36bd06  -
openssl pkey -in SAML-private.key -pubout -outform pem | sha256sum
fd363d2ae68da8bc9a7ccac2cffa3c9b3a9773b68d7d3e83d266d0f66a454eb3  -
openssl req -in ClusterName.csr -pubkey -noout -outform pem | sha256sum
3d92ffc0d44cfcb8086e8432f0280b2d0c0ce6d4cc52bb723a3101d8a406129b  -

have some one any idea, which private key does ISE use for CSR generation?

 

Thanks

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

I'm not sure I understand the question. You're asking about what private key ISE uses for the CSR, but you also mention that you exported the private key. The private key you exported would be the private key used to generate the CSR for that particular certificate.

If you're trying to find a single private key that is used to generate all CSRs, I don't think you'll find one. For security reasons, I would expect ISE would generate a new unique private key for each CSR, so each certificate would have a unique key. Otherwise, if someone compromised the private key for one cert, all certificates on the box would be compromised.

View solution in original post

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

I'm not sure I understand the question. You're asking about what private key ISE uses for the CSR, but you also mention that you exported the private key. The private key you exported would be the private key used to generate the CSR for that particular certificate.

If you're trying to find a single private key that is used to generate all CSRs, I don't think you'll find one. For security reasons, I would expect ISE would generate a new unique private key for each CSR, so each certificate would have a unique key. Otherwise, if someone compromised the private key for one cert, all certificates on the box would be compromised.

Thank you for the explanation. So the ISE will create a new private key and I won't be able to see it, before I add the new certificate.

In the end, you have to believe, that ISE does it the right way and if something goes wrong, you can just throw away the new signed certificate. This happened to m last time, ISE didn't accepted new certificate because of key mismatch - don't ask me, how it is possible, but i didn't have any choice but to order a new one.

Hi @Thomas Schmitt 

 

When you create a CSR within the ISE GUI, the system does two things

1) Creates a public/prive key pair and stores the private key in a place that you don't need to know/care about. It's what you would do with openssl or similar tools that create key pairs.

2) It creates the CSR and exports it via the GUI to allow you to have the CSR signed by an external  CA - the private key never leaves the ISE node.

 

When you export a system cert in ISE then you are given the option to export the private key - that's the only mechanism you have to ever get hold of the private key.

 

BTW, you don't need to create the CSR in ISE for the purpose of System Cert generation. You can do everything out of band (e.g. openssl) and then import the finished cert and private key into ISE. This of course implies that the private key originated on another system (e.g. a unix server) and then it got bundled into a file that you imported into ISE. Some people freak out over that thought because the private key should only live in ISE. But I think by now you get the point. A Private key is just a file that HAS to exist somewhere. And for ultimate security, the private key SHOULD reside only on the system that uses that private key to encrypt the traffic that it sends. If the private key resides outside of the system that it it intended for, then it's either an oversight (human error) or a hack attack :-)