Showing results for 
Search instead for 
Did you mean: 

NAC Guest Server: How to generate CSR with 2048 bit key




This document talks about generating a certificate signing request (CSR) with 2048 bit key for certificate creation on NAC Guest Server.



Now a days most of the third party Certificate Signing Authorities issue certificates with minimum 2048 bit key. This is true for all the major CAs across globe. So we are concerned with how to generate a certificate signing request on a NAC Guest Server with 2048 bit key, which can be submitted to the third party CA.



Login to the NAC Guest Server through SSH and follow these steps:


1. Create a 2048 bit key and a temporary certificate by issuing the following command:


openssl req -new -newkey rsa:2048 -nodes -x509 -days 365

-keyout /etc/pki/tls/private/localhost.key

-out /etc/pki/tls/certs/localhost.crt


2. Run the following commands to copy and change permissions for postgres:


cp /etc/pki/tls/certs/localhost.crt /var/lib/pgsql/data/server.crt

cp /etc/pki/tls/private/localhost.key /var/lib/pgsql/data/server.key


chmod 600 /var/lib/pgsql/data/server.crt

chmod 600 /var/lib/pgsql/data/server.key


chown postgres:postgres /var/lib/pgsql/data/server.crt

chown postgres:postgres /var/lib/pgsql/data/server.key


3. Now reboot the NAC Guest Server.


Once the steps mentioned above are followed, we can create a certificate signing request from the GUI of the NAC Guest Server:


4. Login to the GUI and go to Admin > Server > SSL Settings > Create CSR. Complete the additional fields, and ensure that 'regenerate private key' is unchecked.

5. Now download the CSR you just created.


Once we have the CSR, please submit it to the in-house CA or desired third party CA for certificate generation. The CA should send you the following:

          -A server certificate in PEM format

          -The root certificate of the CA in PEM format

          -(If applicable)The intermediate certificate of the CA in PEM format


Note: All the files must be in .pem extension. For the purposes of this post we shall call these server.pem, root.pem and intermediate.pem.


6. Now login back to the NAC Guest Server through SSH and run the following command:


openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM


7. Using sftp or scp upload the intermediate and root certs to "/etc/pki/tls/certs" location on the NAC Guest Server.


8. Now enter the following commands:


cd /etc/pki/tls/certs


chmod 666 *.pem


cp intermediate.pem localhost.chain.crt


cat root.pem >> localhost.chain.crt


9. Edit /etc/httpd/conf.d/ssl.conf using:


vi /etc/httpd/conf.d/ssl.conf


10. Find the line starting:#SSLCertificateChainFile, press "i" to get into insert mode, uncomment the line and change it to read:


SSLCertificateChainFile /etc/pki/tls/certs/localhost.chain.crt


:wq!  (To save and quit the vi editor)


11. In the admin interface upload the server cert ("Upload this Server's SSL Certificate" on on Server -> SSL Settings).


12. Now recreate the cert structure and reboot nac guest server:







You can refer to NAC Guest Server Configuration Guides for more details.


Hi Dev


Creating a new key and temp crt wont affect the existing certificate, right ? 


Hi Dev,


      If I already successfully generated the certificate one time.. and will generate a new certificate again.. do i still need to do steps 1 to 3 or I can skip this?

Content for Community-Ad