I am doing a dot1x solution with web auth on cisco 3750 switches.
Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
Is there any way to solve this?
The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
This document goes into a little more detail on all the indivual commands and what they do:
Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.