01-14-2015 08:16 AM
Hi
I need to put a certificate on my PRSM virtual appliance and I can work out how to do it, the cert needs to be issued from my existing Microsoft Certificate Services PKI deployment.
The only options I get are (on the administration > server certificates page)
certificate (PEM format only) browse
key (PEM format only) browse
I know what PEM format means, I can generate a web server certificate from cert services, but a key? Has anyone actually done this?
Regards,
Pete
Solved! Go to Solution.
01-14-2015 01:19 PM
Pete,
You only need to use openssl to generate the key and CSR. That's only since Cisco didn't build that capability into PRSM itself (beyond the self-signed cert using an auto-generated key it automatically creates using the Linux (and I would imagine openssl) under the covers that you don't have shell access to). So they force you to use openssl on some other host.
Your certificate authority (CA) of choice would still issue the certificate. That's the case whether it's a customer's internal Microsoft AD Certificate Services-based PKI or a public CA like Thawte, GoDaddy, Verisign, Entrust etc.
If you're doing this so you can decrypt traffic for inspection, I hope you sized the boxes accordingly. You will take a big performance hit by doing that. I haven't seen benchmark numbers but have heard anecdotal stories that it's significant.
01-14-2015 09:38 AM
Hi Pete,
Yes I've done this. You need to create the key and CSR outside of PRSM using openssl. The key you generate there is combined with the certificate you get back from your CA.
The process is documented in the User Guide here.
01-14-2015 01:04 PM
Hi Marvin,
Thanks for the feedback, The client just forked out a LARGE amount of cash on a complete new network that has 6 PKI servers in the design Are we saying this cannot be done with Microsoft certificate services - I need a certificate that their domain clients will trust?
Regards,
Pete
01-14-2015 01:19 PM
Pete,
You only need to use openssl to generate the key and CSR. That's only since Cisco didn't build that capability into PRSM itself (beyond the self-signed cert using an auto-generated key it automatically creates using the Linux (and I would imagine openssl) under the covers that you don't have shell access to). So they force you to use openssl on some other host.
Your certificate authority (CA) of choice would still issue the certificate. That's the case whether it's a customer's internal Microsoft AD Certificate Services-based PKI or a public CA like Thawte, GoDaddy, Verisign, Entrust etc.
If you're doing this so you can decrypt traffic for inspection, I hope you sized the boxes accordingly. You will take a big performance hit by doing that. I haven't seen benchmark numbers but have heard anecdotal stories that it's significant.
01-14-2015 01:20 PM
>>If you're doing this so you can decrypt traffic for inspection,
Actually no - the client has purchased a separate solution to do this. After posting my last comment I tumbled what you meant, I was reading this which I'm guessing is a similar process.
Ill run up a quick test in VMware.
{I can find nothing in prime, and I'm not a fan of Cisco documentation - bah}
Pete
01-14-2015 02:59 PM
Just did in in VMware workstation with OpenSSL for Windows and Cert Services (Server 2012 R2) Ill get the procedure documented and post the link, tomorrow.
Thanks again Marvin, always a pleasure.
Pete
01-15-2015 02:29 AM
01-15-2015 05:42 AM
Nice posting. Cheers Pete.
01-15-2015 05:54 AM
No Problem - I've got the CDA to work out next (it never ends :^) )
Looks like that's the same as ISE though, and my colleague has managed to do that, so fingers crossed.
P
01-15-2015 07:07 AM
I've not tried to change the CDA certificate.
One thing I did learn just recently re CDA + PRSM - you need to specify the individual CX modules (in addition to PRSM) as registered devices in CDA.
They are the ones that actually interactively query CDA for identity information.
Without that set up, Identity-based policies will not work.
01-15-2015 07:15 AM
Nice Catch, I did not know that :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide