How to generate CSR on switches for web auth with NGS

Answered Question
Sep 17th, 2010
User Badges:

Hello


I am doing a dot1x solution with web auth on cisco 3750 switches.


Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.


I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.


Is there any way to solve this?


Greetings


Steven

Correct Answer by Nate Austin about 6 years 9 months ago

Hi Steven,


The below document is actually for IOS SSLVPN, but the certificate portion should be the same:


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html


Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.


Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".


This document goes into a little more detail on all the indivual commands and what they do:


http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html


Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.


Thanks,


Nate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Nate Austin Mon, 09/20/2010 - 07:27
User Badges:
  • Cisco Employee,

Hi Steven,


The below document is actually for IOS SSLVPN, but the certificate portion should be the same:


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html


Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.


Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".


This document goes into a little more detail on all the indivual commands and what they do:


http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html


Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.


Thanks,


Nate

Actions

This Discussion