Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2317
Views
5
Helpful
1
Replies

How to generate CSR on switches for web auth with NGS

Go to solution
steven.vandyk
Level 1
Level 1

‎09-17-2010 01:57 AM - edited ‎03-10-2019 05:25 PM

Hello

I am doing a dot1x solution with web auth on cisco 3750 switches.

Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.

I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.

Is there any way to solve this?

Greetings

Steven

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎09-20-2010 07:27 AM

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

View solution in original post

1 Reply 1

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎09-20-2010 07:27 AM

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents