Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to generate CSR on switches for web auth with NGS

Hello

I am doing a dot1x solution with web auth on cisco 3750 switches.

Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.

I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.

Is there any way to solve this?

Greetings

Steven

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How to generate CSR on switches for web auth with NGS

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

1 REPLY
Cisco Employee

Re: How to generate CSR on switches for web auth with NGS

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

1204
Views
5
Helpful
1
Replies