Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2324
Views
5
Helpful
1
Replies

How to generate CSR on switches for web auth with NGS

Go to solution
steven.vandyk
Level 1
Level 1

‎09-17-2010 01:57 AM - edited ‎03-10-2019 05:25 PM

Hello

I am doing a dot1x solution with web auth on cisco 3750 switches.

Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.

I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.

Is there any way to solve this?

Greetings

Steven

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎09-20-2010 07:27 AM

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

View solution in original post

1 Reply 1

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎09-20-2010 07:27 AM

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

Customers Also Viewed These Support Documents