Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
5
Helpful
2
Replies

ACS 5.x CSR Certificate key usage

Johannes Luther
Level 4
Level 4

‎08-04-2015 11:05 PM - edited ‎03-10-2019 10:57 PM

Hi Security Board,

I created a Certificate Signing Request within Cisco ACS and sent this request to my Certificate authority.

The CA guys came back to me and stated that the CSR contains the following X.509 key usages

  • digitalSignature
  • keyAgreement
  • keyCertSign
  • keyEncipherment

Unfortunately the key usages keyAgreement and keyCertSign are not allowed by the PKI policy. After all it's just a normal SSL server certificate :)

So I'm not able to get a certificate from my PKI when those key usages are in place.

If I compare the key usages of the ACS and the ISE (1.3), the ISE only requests the key usages digitalSignature and keyEncipherment, which is totally fine and matches the "standard" SSL web server certificate way of doing things. So ISE does the thing a little bit different than ACS.

Long story short - here are my questions:

  • Is there a way to configure the certificate attributes within the CSR directly from the ACS?
  • Any idea why ACS is requesting keyAgreement and keyCertSign

 

Thanks in advance,

Cheers

Johannes

Labels:
0 Helpful
2 Replies 2

Nathan Spitzer
Level 1
Level 1

‎08-08-2015 08:13 PM

What you need to do is generate a compliant server certificate request OUTSIDE of ACS then import both the certificate and private key. I have (un)fortunately learned enough openSSL to do this myself but your cert guys should be able to help you generate it.

 

If you want to lose a day of your life and take a -1 hit to your sanity you can look at the following pages and try it: https://www.openssl.org/docs/HOWTO/certificates.txt

Johannes Luther
Level 4
Level 4
In response to Nathan Spitzer

‎08-20-2015 11:32 PM

Thanks for the answer Nathan. I know that I could use this solution - but the operations guys won't be happy about this detour :)

Just for everybody else, running into this issue:

 

(optional) openssl config file should have a section for the certificate extensions inside the CSR

In Ubuntu the default openssl.cnf file is located in /usr/lib/ssl/openssl.cnf

[ ssl_web_server_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment

 

Create the CSR:

openssl req -nodes -newkey rsa:2048 -keyout acs.key -out acs.csr -subj "/C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORGANIZATION>/OU=<OU>/CN=<COMMON-NAME>" -reqexts ssl_web_server_req

The private key will be written in the file "acs.key"

The CSR will be written in the file "acs.csr"

 

To view the CSR:

openssl req -noout -text -in acs.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Test, CN=test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                [... output ommited ...]
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment

    Signature Algorithm: sha256WithRSAEncryption
                 [... output ommited ...]

 

Sign the CSR at your PKI / CA

After the CSR is signed by the CA, the certificate and the private key (acs.key) can be imported in ACS (Import Server Certificate)

0 Helpful
Customers Also Viewed These Support Documents