Cisco Cisco NAC Appliance 4.9.4 Technical Manual
This procedure is used in cases when it is not desired to submit the CSR to an off−appliance CA for signing.
This procedure allows for the creation of a signed certificate with the OpenSSL toolkit on the appliance
exclusively − nothing needs to be submitted to another system or commercial CA to generate a signed
certificate for the Profiler system.
This procedure allows for the creation of a signed certificate with the OpenSSL toolkit on the appliance
exclusively − nothing needs to be submitted to another system or commercial CA to generate a signed
certificate for the Profiler system.
The success of this procedure is dependent upon following it as specified. The command syntax is long and
prone to errors. Ensure that you are in the correct directory as specified in the instructions before you execute
the commands. Information for the DNs generated for the CA Certificate and Certificate Signing Request,
such as country, state, city, server name, etc., must be entered identically (case sensitive), so be sure to make
notes as you complete the steps to ensure that the process goes smoothly.
prone to errors. Ensure that you are in the correct directory as specified in the instructions before you execute
the commands. Information for the DNs generated for the CA Certificate and Certificate Signing Request,
such as country, state, city, server name, etc., must be entered identically (case sensitive), so be sure to make
notes as you complete the steps to ensure that the process goes smoothly.
Initiate an SSH or console session to the NPS appliance and elevate to root access. For HA systems,
ensure that you are on the Primary system by initiating an SSH to the VIP.
ensure that you are on the Primary system by initiating an SSH to the VIP.
Prior to using OpenSSL for the first time, some file structure utilized by OpenSSL must be initialized.
Complete these steps to initialize OpenSSL:
Complete these steps to initialize OpenSSL:
1.
Change the directory to /etc/pki/CA with this command:
cd /etc/pki/CA/
Create a new directory called newcerts, and issue these commands:
mkdir newcerts touch index.txt
2.
Use vi to create a new file named serial; insert 01 in the file, and commit the changes. (:wq!)
Change this directory:
cd /etc/pki/tls/certs
3.
Generate a new private key for the system with this command:
openssl genrsa −out profilerFQDN.key 1024
(where 'profilerFQDN' is replaced with the Fully Qualified Domain Name of the NPS appliance when
deployed standalone. For HA systems, the FQDN of the VIP must be used).
deployed standalone. For HA systems, the FQDN of the VIP must be used).
If the Profiler system is not in DNS, the IP address of the server (VIP) can be used instead of the
FQDN, but the certificate is tied to this IP address, which requires the use of the IP in the URL (that
is, https://10.10.0.1/profiler) to avoid the certificate warnings.
FQDN, but the certificate is tied to this IP address, which requires the use of the IP in the URL (that
is, https://10.10.0.1/profiler) to avoid the certificate warnings.
4.
Generate a CA certificate to use to generate the Server certificate with this command, which creates a
3 year CA certificate, and the key generated in step #4:
3 year CA certificate, and the key generated in step #4:
openssl req −new −x509 −days 1095 −key profilerFQDN.key −out cacert.pem
You are prompted for several attributes that are incorporated into the certificate request and the
formation of a Distinguished Name (DN) for the CA certificate. For some of this these items, a
default value is suggested (in []). Enter the desired value for each parameter of the DN or '.' In order
to skip the item, be sure to make a note of the DN parameters used in this step. They must be identical
to those specified in the generation of the Certificate Signing Request for the Server certificate in step
#7.
formation of a Distinguished Name (DN) for the CA certificate. For some of this these items, a
default value is suggested (in []). Enter the desired value for each parameter of the DN or '.' In order
to skip the item, be sure to make a note of the DN parameters used in this step. They must be identical
to those specified in the generation of the Certificate Signing Request for the Server certificate in step
#7.
Move the CA certificate created in the last step to the required directory:
mv cacert.pem /etc/pki/CA
Generate a Certificate Signing Request for the Profiler system with the new private key:
5.