Solved: Re: NAC 4.7.2 Certficate validity

talha_490 · ‎05-30-2010

I have a NAC setup that has 1 server and 1 manager. Everything is runing and fine.

I am using self sign certificate generated by manager and server. The validity of the certificate is just 3 months. Can i increased the validity of the

certificate. I have been working on earlier version like 4.7.1, 4.6,4.5 there validity were about 5-10 years.

Is ther any other workaround.

Faisal Sehbai · ‎06-01-2010

Talha,

Not a simple way, but you can generate certificates using openssl and install them on the NAC devices.

I'm including the output of my sample run that I just did to give you an idea of what the run would look like. What I typed is in red:

[root@cam ~]# mkdir NewCertDirectory
[root@cam ~]# cd NewCertDirectory
[root@cam NewCertDirectory]# openssl genrsa 1024 > NewPrivateKey.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.............++++++
e is 65537 (0x10001)
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl req -new -key NewPrivateKey.key -out NewCertificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:RTP
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
Organizational Unit Name (eg, section) []:TAC
Common Name (eg, YOUR name) []:www.Your_CAS_Name_Here.com (This is the hostname or the domain name of your CAS for which you're generating the certificate. In case of HA, this would be the name which would resolve to the VIP of the CAS)
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl x509 -req -days 1000 -in NewCertificate.csr -signkey NewPrivateKey.key -out NewCert.crt

Signature ok
subject=/C=US/ST=NC/L=RTP/O=Cisco/OU=TAC/CN=www.Your_CAS_Name_Here.com
Getting Private key

[root@cam NewCertDirectory]# cat NewPrivateKey.key >> NewCert.crt

Now you can take this NewCert.crt file and install it on the NAC devices using the GUI. Use WinSCP to copy the

file.

HTH,

Faisal

View solution in original post

Faisal Sehbai · ‎06-01-2010

Talha,

Not a simple way, but you can generate certificates using openssl and install them on the NAC devices.

I'm including the output of my sample run that I just did to give you an idea of what the run would look like. What I typed is in red:

[root@cam ~]# mkdir NewCertDirectory
[root@cam ~]# cd NewCertDirectory
[root@cam NewCertDirectory]# openssl genrsa 1024 > NewPrivateKey.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.............++++++
e is 65537 (0x10001)
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl req -new -key NewPrivateKey.key -out NewCertificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:RTP
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
Organizational Unit Name (eg, section) []:TAC
Common Name (eg, YOUR name) []:www.Your_CAS_Name_Here.com (This is the hostname or the domain name of your CAS for which you're generating the certificate. In case of HA, this would be the name which would resolve to the VIP of the CAS)
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl x509 -req -days 1000 -in NewCertificate.csr -signkey NewPrivateKey.key -out NewCert.crt

Signature ok
subject=/C=US/ST=NC/L=RTP/O=Cisco/OU=TAC/CN=www.Your_CAS_Name_Here.com
Getting Private key

[root@cam NewCertDirectory]# cat NewPrivateKey.key >> NewCert.crt

Now you can take this NewCert.crt file and install it on the NAC devices using the GUI. Use WinSCP to copy the

file.

HTH,

Faisal

talha_490 · ‎06-02-2010

Thanks Faisal,

The way i did was through installing the CA Service on AD and importing the certificate.

However the e-mail is extremely useful for future deployments and i have not read this in any document. The e-mail is highly valuable.

game123 · ‎06-12-2010

Hi Faisal,

I am stuck with a situation at my client ....I was using standard perfigo cert and it gave me same warning as this message post of 30 days blah blah !!!

well, on the link and over the forum i found your suggseted solution in "red" about openssl and steps....

well i did it and got the following queries now ???? please help us and answer inline ...!

a> i have 1 nam and 1 nas - version is latest 4.7.2 , do i need to execute the steps of OPENSSL you described on both the boxes? if both the boxes, then should nas be typed first or what , please explain, it be helpful to all of us needy new NAC Engineers.....

b> second question, is i tried to type in the commands you said ,, and while typing openssl blah blah commands, it didnt accept the command in the line where you described about name.csr ???? i dont nkow why it said no such command or directory !!!!

c>can you make a simple pdf document as a resource to all of us and upload it for reference to use OPENSSL for atleast 3 yrs certificate for NAC Boxes... ( i know most of us will prefer openssl and sinc openssl module comes by default with NAC 4.7.2 , since public CA will a show stopper for msot clients during production phase)

Waiting with crossed fingers !!!!

Kamran ( A Netizen persuing ccie sec cert...)