Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC 4.7.2 Certficate validity

I have a NAC setup that has 1 server and 1 manager. Everything is runing and fine.

I am using self sign certificate generated by manager and server. The validity of the certificate is just 3 months. Can i increased the validity of the

certificate. I have been working on earlier version like 4.7.1, 4.6,4.5 there validity were about 5-10 years.

Is ther any other workaround.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAC 4.7.2 Certficate validity

Talha,

Not a simple way, but you can generate certificates using openssl and install them on the NAC devices.

I'm including the output of my sample run that I just did to give you an idea of what the run would look like. What I typed is in red:

[root@cam ~]# mkdir NewCertDirectory
[root@cam ~]# cd NewCertDirectory
[root@cam NewCertDirectory]# openssl genrsa 1024 > NewPrivateKey.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.............++++++
e is 65537 (0x10001)
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl req -new -key NewPrivateKey.key -out NewCertificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:RTP
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
Organizational Unit Name (eg, section) []:TAC
Common Name (eg, YOUR name) []:www.Your_CAS_Name_Here.com (This is the hostname or the domain name of your CAS for which you're generating the certificate. In case of HA, this would be the name which would resolve to the VIP of the CAS)
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl x509 -req -days 1000 -in NewCertificate.csr -signkey NewPrivateKey.key -out NewCert.crt

Signature ok
subject=/C=US/ST=NC/L=RTP/O=Cisco/OU=TAC/CN=www.Your_CAS_Name_Here.com
Getting Private key

[root@cam NewCertDirectory]# cat NewPrivateKey.key >> NewCert.crt

Now you can take this NewCert.crt file and install it on the NAC devices using the GUI. Use WinSCP to copy the

file.

HTH,

Faisal

3 REPLIES

Re: NAC 4.7.2 Certficate validity

Talha,

Not a simple way, but you can generate certificates using openssl and install them on the NAC devices.

I'm including the output of my sample run that I just did to give you an idea of what the run would look like. What I typed is in red:

[root@cam ~]# mkdir NewCertDirectory
[root@cam ~]# cd NewCertDirectory
[root@cam NewCertDirectory]# openssl genrsa 1024 > NewPrivateKey.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.............++++++
e is 65537 (0x10001)
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl req -new -key NewPrivateKey.key -out NewCertificate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NC
Locality Name (eg, city) []:RTP
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
Organizational Unit Name (eg, section) []:TAC
Common Name (eg, YOUR name) []:www.Your_CAS_Name_Here.com (This is the hostname or the domain name of your CAS for which you're generating the certificate. In case of HA, this would be the name which would resolve to the VIP of the CAS)
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cam NewCertDirectory]#
[root@cam NewCertDirectory]# openssl x509 -req -days 1000 -in NewCertificate.csr -signkey NewPrivateKey.key -out NewCert.crt

Signature ok
subject=/C=US/ST=NC/L=RTP/O=Cisco/OU=TAC/CN=www.Your_CAS_Name_Here.com
Getting Private key

[root@cam NewCertDirectory]# cat NewPrivateKey.key >> NewCert.crt

Now you can take this NewCert.crt file and install it on the NAC devices using the GUI. Use WinSCP to copy the

file.

HTH,

Faisal

New Member

Re: NAC 4.7.2 Certficate validity

Thanks Faisal,

The way i did was through installing the CA Service on AD and importing the certificate.

However the e-mail is extremely useful for future deployments and i have not read this in any document. The e-mail is highly valuable.

New Member

Re: NAC 4.7.2 Certficate validity

Hi Faisal,

I am stuck with a  situation at my client ....I was using standard perfigo cert and it  gave me same warning as this message post of 30 days blah blah !!!

well, on  the link and over the forum i found your suggseted solution in "red"  about openssl and steps....

well i did it and got the following queries now  ???? please help us and answer inline ...!

a> i have 1 nam and 1 nas  -  version is latest 4.7.2  , do i need to execute the steps of OPENSSL you  described on both the boxes? if both the boxes, then should nas be  typed first or what , please explain, it be helpful to all of us needy  new NAC Engineers.....

b> second question, is i tried to type in the  commands you said ,, and while typing openssl  blah blah commands, it  didnt accept the command in the line where you described about name.csr  ???? i dont nkow why it said no such command or directory !!!!

c>can you  make a simple pdf document as a resource to all of us and upload it for  reference to use OPENSSL for atleast 3 yrs certificate for NAC Boxes...  (  i know most of us will prefer openssl and sinc openssl module comes  by default with NAC 4.7.2 , since public CA will a show stopper for msot  clients during production phase)

Waiting with crossed fingers !!!!

Kamran ( A  Netizen persuing ccie sec cert...)

1030
Views
0
Helpful
3
Replies
CreatePlease to create content