How to generate CSR on switches for web auth with NGS

Answered Question
Sep 17th, 2010

Hello

I am doing a dot1x solution with web auth on cisco 3750 switches.

Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.

I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.

Is there any way to solve this?

Greetings

Steven

I have this problem too.
0 votes
Correct Answer by Nathaniel Austin about 6 years 2 months ago

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Nathaniel Austin Mon, 09/20/2010 - 07:27

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

Actions

This Discussion