Introduction
This document talks about generating a certificate signing request (CSR) with 2048 bit key for certificate creation on NAC Guest Server.
Background
Now a days most of the third party Certificate Signing Authorities issue certificates with minimum 2048 bit key. This is true for all the major CAs across globe. So we are concerned with how to generate a certificate signing request on a NAC Guest Server with 2048 bit key, which can be submitted to the third party CA.
Configuration
Login to the NAC Guest Server through SSH and follow these steps:
1. Create a 2048 bit key and a temporary certificate by issuing the following command:
openssl req -new -newkey rsa:2048 -nodes -x509 -days 365
-keyout /etc/pki/tls/private/localhost.key
-out /etc/pki/tls/certs/localhost.crt
2. Run the following commands to copy and change permissions for postgres:
cp /etc/pki/tls/certs/localhost.crt /var/lib/pgsql/data/server.crt
cp /etc/pki/tls/private/localhost.key /var/lib/pgsql/data/server.key
chmod 600 /var/lib/pgsql/data/server.crt
chmod 600 /var/lib/pgsql/data/server.key
chown postgres:postgres /var/lib/pgsql/data/server.crt
chown postgres:postgres /var/lib/pgsql/data/server.key
3. Now reboot the NAC Guest Server.
Once the steps mentioned above are followed, we can create a certificate signing request from the GUI of the NAC Guest Server:
4. Login to the GUI and go to Admin > Server > SSL Settings > Create CSR. Complete the additional fields, and ensure that 'regenerate private key' is unchecked.
5. Now download the CSR you just created.
Once we have the CSR, please submit it to the in-house CA or desired third party CA for certificate generation. The CA should send you the following:
-A server certificate in PEM format
-The root certificate of the CA in PEM format
-(If applicable)The intermediate certificate of the CA in PEM format
Note: All the files must be in .pem extension. For the purposes of this post we shall call these server.pem, root.pem and intermediate.pem.
6. Now login back to the NAC Guest Server through SSH and run the following command:
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
7. Using sftp or scp upload the intermediate and root certs to "/etc/pki/tls/certs" location on the NAC Guest Server.
8. Now enter the following commands:
cd /etc/pki/tls/certs
chmod 666 *.pem
cp intermediate.pem localhost.chain.crt
cat root.pem >> localhost.chain.crt
9. Edit /etc/httpd/conf.d/ssl.conf using:
vi /etc/httpd/conf.d/ssl.conf
10. Find the line starting:#SSLCertificateChainFile, press "i" to get into insert mode, uncomment the line and change it to read:
SSLCertificateChainFile /etc/pki/tls/certs/localhost.chain.crt
:wq! (To save and quit the vi editor)
11. In the admin interface upload the server cert ("Upload this Server's SSL Certificate" on on Server -> SSL Settings).
12. Now recreate the cert structure and reboot nac guest server:
c_rehash
reboot
Reference
You can refer to NAC Guest Server Configuration Guides for more details.