LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

July 2008

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS July 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Cert Question
From:	"Stempien, Dave" <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Wed, 9 Jul 2008 19:05:46 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (77 lines)

It's not a requirement to generate a CSR from the CAM itself.  You can do
this from any Unix/Linux/MacOS machine using OpenSSL:

Create a host.key file (private key) using openssl or download it from the
CAM.

Then, from within the same directory as the host.key, create the CSR as
follows, answering the questions as relevant to your CAM:

openssl req -new -nodes -key host.key -out host.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Rochester
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of
Rochester
Organizational Unit Name (eg, section) []:NCS/Telecommunications Division
Common Name (eg, YOUR name) []:netauth2.urmc-sh.rochester.edu
Email Address []:[log in to unmask]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Medical Center ISD

I typically don't enter a challenge password.

Save the host.key and CSR to a safe place, and submit the host.csr CSR file
to your CA for signing.  Once you receive your signed CA, import it and your
host.key (private key) back into the CAM.  No downtime is necessary.

NOTE:  We use DigiCert as our CA, and they're an intermediate CA to Entrust
So, it's necessary to append the Entrust root CA to the signed CA before
importing into the CAM (this is called a chain of trust).  It's just text,
so copy and paste the root CA into the signed CA.  If you are using one of
the major CAs, this step isn't necessary.

NOTE2:  Use the same host.key for all certs you register in case you need to
reference it again in the future (after a CAM failure, for example) -- this
is way easier to remember than trying to juggle and match different host
keys.

NOTE3:  Don't request a wildcard cert -- they don't work with CCA AFAIK.

-- 
Dave Stempien, Network Security Engineer
University of Rochester Medical Center
Information Systems Division
(585) 784-2427 



>> Hi all 
>> 
>> Ok, my cert problem is continuing. What it looks like is that I need
>> to generate a new temporary cert to request the new cert. Does anyone
>> know that, if I do that, it will break the current cert I have
>> running? I¹m betting it will but I have to ask.
>> 
>> - Sean
>> 
>> ----
>> 
>> Sean Hennessey
>> 
>> Networking and Information Security Systems Administrator
>> 
>> The University of Portland
>>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU