cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6671
Views
0
Helpful
2
Comments
Dev Vishwakarma
Cisco Employee
Cisco Employee

 

Introduction

This document talks about generating a certificate signing request (CSR) with 2048 bit key for certificate creation on NAC Guest Server.

 

Background

Now a days most of the third party Certificate Signing Authorities issue certificates with minimum 2048 bit key. This is true for all the major CAs across globe. So we are concerned with how to generate a certificate signing request on a NAC Guest Server with 2048 bit key, which can be submitted to the third party CA.

 

Configuration

Login to the NAC Guest Server through SSH and follow these steps:

 

1. Create a 2048 bit key and a temporary certificate by issuing the following command:

 

openssl req -new -newkey rsa:2048 -nodes -x509 -days 365

-keyout /etc/pki/tls/private/localhost.key

-out /etc/pki/tls/certs/localhost.crt

 

2. Run the following commands to copy and change permissions for postgres:

 

cp /etc/pki/tls/certs/localhost.crt /var/lib/pgsql/data/server.crt

cp /etc/pki/tls/private/localhost.key /var/lib/pgsql/data/server.key

 

chmod 600 /var/lib/pgsql/data/server.crt

chmod 600 /var/lib/pgsql/data/server.key

 

chown postgres:postgres /var/lib/pgsql/data/server.crt

chown postgres:postgres /var/lib/pgsql/data/server.key

 

3. Now reboot the NAC Guest Server.

 

Once the steps mentioned above are followed, we can create a certificate signing request from the GUI of the NAC Guest Server:

 

4. Login to the GUI and go to Admin > Server > SSL Settings > Create CSR. Complete the additional fields, and ensure that 'regenerate private key' is unchecked.

5. Now download the CSR you just created.

 

Once we have the CSR, please submit it to the in-house CA or desired third party CA for certificate generation. The CA should send you the following:

          -A server certificate in PEM format

          -The root certificate of the CA in PEM format

          -(If applicable)The intermediate certificate of the CA in PEM format

 

Note: All the files must be in .pem extension. For the purposes of this post we shall call these server.pem, root.pem and intermediate.pem.

 

6. Now login back to the NAC Guest Server through SSH and run the following command:

 

openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

 

7. Using sftp or scp upload the intermediate and root certs to "/etc/pki/tls/certs" location on the NAC Guest Server.

 

8. Now enter the following commands:

 

cd /etc/pki/tls/certs

 

chmod 666 *.pem

 

cp intermediate.pem localhost.chain.crt

 

cat root.pem >> localhost.chain.crt

 

9. Edit /etc/httpd/conf.d/ssl.conf using:

 

vi /etc/httpd/conf.d/ssl.conf

 

10. Find the line starting:#SSLCertificateChainFile, press "i" to get into insert mode, uncomment the line and change it to read:

 

SSLCertificateChainFile /etc/pki/tls/certs/localhost.chain.crt

 

:wq!  (To save and quit the vi editor)

 

11. In the admin interface upload the server cert ("Upload this Server's SSL Certificate" on on Server -> SSL Settings).

 

12. Now recreate the cert structure and reboot nac guest server:

 

c_rehash

 

reboot

 

Reference

You can refer to NAC Guest Server Configuration Guides for more details.

Comments
anil_ccieDC
Level 1
Level 1

Hi Dev

 

Creating a new key and temp crt wont affect the existing certificate, right ? 

Jameskyc
Level 1
Level 1

Hi Dev,

 

      If I already successfully generated the certificate one time.. and will generate a new certificate again.. do i still need to do steps 1 to 3 or I can skip this?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: