Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
10
Replies

PRSM certificate

Go to solution
Peter Long
Level 1
Level 1

‎01-14-2015 08:16 AM

Hi 

 

I need to put a certificate on my PRSM virtual appliance and I can work out how to do it, the cert needs to be issued from my existing Microsoft Certificate Services PKI deployment.

The only options I get are (on the administration > server certificates page)

certificate (PEM format only) browse

key (PEM format only) browse

I know what PEM format means, I can generate a web server certificate from cert services, but a key? Has anyone actually done this?

 

Regards,

 

Pete

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Peter Long

‎01-14-2015 01:19 PM

Pete,

You only need to use openssl to generate the key and CSR. That's only since Cisco didn't build that capability into PRSM itself (beyond the self-signed cert using an auto-generated key it automatically creates using the Linux (and I would imagine openssl) under the covers that you don't have shell access to). So they force you to use openssl on some other host.

Your certificate authority (CA) of choice would still issue the certificate. That's the case whether it's a customer's internal Microsoft AD Certificate Services-based PKI or a public CA like Thawte, GoDaddy, Verisign, Entrust etc.

If you're doing this so you can decrypt traffic for inspection, I hope you sized the boxes accordingly. You will take a big performance hit by doing that. I haven't seen benchmark numbers but have heard anecdotal stories that it's significant.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-14-2015 09:38 AM

Hi Pete,

Yes I've done this. You need to create the key and CSR outside of PRSM using openssl. The key you generate there is combined with the certificate you get back from your CA.

The process is documented in the User Guide here.

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to Marvin Rhoads

‎01-14-2015 01:04 PM

Hi Marvin,

Thanks for the feedback, The client just forked out a LARGE amount of cash on a complete new network that has 6 PKI servers in the design Are we saying this cannot be done with Microsoft certificate services - I need a certificate that their domain clients will trust?

 

Regards,

 

Pete

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Peter Long

‎01-14-2015 01:19 PM

Pete,

You only need to use openssl to generate the key and CSR. That's only since Cisco didn't build that capability into PRSM itself (beyond the self-signed cert using an auto-generated key it automatically creates using the Linux (and I would imagine openssl) under the covers that you don't have shell access to). So they force you to use openssl on some other host.

Your certificate authority (CA) of choice would still issue the certificate. That's the case whether it's a customer's internal Microsoft AD Certificate Services-based PKI or a public CA like Thawte, GoDaddy, Verisign, Entrust etc.

If you're doing this so you can decrypt traffic for inspection, I hope you sized the boxes accordingly. You will take a big performance hit by doing that. I haven't seen benchmark numbers but have heard anecdotal stories that it's significant.

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to Marvin Rhoads

‎01-14-2015 01:20 PM

>>If you're doing this so you can decrypt traffic for inspection,

Actually no - the client has purchased a separate solution to do this. After posting my last comment I tumbled what you meant, I was reading this which I'm guessing is a similar process. 

Ill run up a quick test in VMware.

{I can find nothing in prime, and I'm not a fan of Cisco documentation - bah}

Pete

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to Peter Long

‎01-14-2015 02:59 PM

Just did in in VMware workstation with OpenSSL for Windows and Cert Services (Server 2012 R2) Ill get the procedure documented and post the link, tomorrow.

Thanks again Marvin, always a pleasure.

Pete

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Peter Long

‎01-15-2015 05:42 AM

Nice posting. Cheers Pete.

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to Marvin Rhoads

‎01-15-2015 05:54 AM

No Problem - I've got the CDA to work out next (it never ends :^) )

Looks like that's the same as ISE though, and my colleague has managed to do that, so fingers crossed.

 

P

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Peter Long

‎01-15-2015 07:07 AM

I've not tried to change the CDA certificate.

One thing I did learn just recently re CDA + PRSM - you need to specify the individual CX modules (in addition to PRSM) as registered devices in CDA.

They are the ones that actually interactively query CDA for identity information.

Without that set up, Identity-based policies will not work.

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to Marvin Rhoads

‎01-15-2015 07:15 AM

Nice Catch, I did not know that :)

0 Helpful
Customers Also Viewed These Support Documents