08-04-2015 11:05 PM - edited 03-10-2019 10:57 PM
Hi Security Board,
I created a Certificate Signing Request within Cisco ACS and sent this request to my Certificate authority.
The CA guys came back to me and stated that the CSR contains the following X.509 key usages
Unfortunately the key usages keyAgreement and keyCertSign are not allowed by the PKI policy. After all it's just a normal SSL server certificate :)
So I'm not able to get a certificate from my PKI when those key usages are in place.
If I compare the key usages of the ACS and the ISE (1.3), the ISE only requests the key usages digitalSignature and keyEncipherment, which is totally fine and matches the "standard" SSL web server certificate way of doing things. So ISE does the thing a little bit different than ACS.
Long story short - here are my questions:
Thanks in advance,
Cheers
Johannes
08-08-2015 08:13 PM
What you need to do is generate a compliant server certificate request OUTSIDE of ACS then import both the certificate and private key. I have (un)fortunately learned enough openSSL to do this myself but your cert guys should be able to help you generate it.
If you want to lose a day of your life and take a -1 hit to your sanity you can look at the following pages and try it: https://www.openssl.org/docs/HOWTO/certificates.txt
08-20-2015 11:32 PM
Thanks for the answer Nathan. I know that I could use this solution - but the operations guys won't be happy about this detour :)
Just for everybody else, running into this issue:
(optional) openssl config file should have a section for the certificate extensions inside the CSR
In Ubuntu the default openssl.cnf file is located in /usr/lib/ssl/openssl.cnf
[ ssl_web_server_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment
Create the CSR:
openssl req -nodes -newkey rsa:2048 -keyout acs.key -out acs.csr -subj "/C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORGANIZATION>/OU=<OU>/CN=<COMMON-NAME>" -reqexts ssl_web_server_req
The private key will be written in the file "acs.key"
The CSR will be written in the file "acs.csr"
To view the CSR:
openssl req -noout -text -in acs.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=DE, ST=Test, CN=test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
[... output ommited ...]
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
[... output ommited ...]
Sign the CSR at your PKI / CA
After the CSR is signed by the CA, the certificate and the private key (acs.key) can be imported in ACS (Import Server Certificate)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide