- Chapter 1: Cisco Prime Infrastructure Overview
- Chapter 2: Getting Started
- Chapter 3: Configuring Security Solutions
- Chapter 4: Performing Maintenance Operations
- Chapter 5: Monitoring Devices
- Chapter 6: Monitoring Maps
- Chapter 7: Managing User Accounts
- Chapter 8: Configuring Mobility Groups
- Chapter 9: Configuring Devices
- Chapter 10: Managing Clients
- Chapter 11: Using Templates
- Chapter 12: Configuring FlexConnect
- Chapter 13: Alarm and Event Dictionary
- Chapter 14: Reports
- Chapter 15: Performing Administrative Tasks
- Chapter 16: Prime Infrastructure Services
- Chapter 17: Tools
- Chapter 18: wIPS Policy Alarm Encyclopedia
- Appendix A: Troubleshooting and Best Practices
- Appendix B: Cisco Prime Infrastructure Server Hardening
- Appendix C: Certificate Signing Request (CSR) Generation for a Third-Party Certificate on Cisco Prime Infrastructure
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices, Release 2.2
- Updated:
- June 7, 2016
Chapter: Appendix C: Certificate Signing Request (CSR) Generation for a Third-Party Certificate on Cisco Prime Infrastructure
- Prerequisites
- Certificate Signing Request (CSR)
- Generating a Certificate Signing Request (CSR) File
- Get a Signed Certificate for CSR from Microsoft Certificate Authority (CA)
- Importing a Certificate Authority (CA) Certificate and Key
- Viewing the list of Certificates
- Deleting Certificates
- Related Publications
Certificate Signing Request (CSR) Generation for a Third-Party Certificate on Cisco Prime Infrastructure
This appendix describes how to generate a Certificate Signing Request (CSR) to obtain a third-party certificate with Cisco Prime Infrastructure and how to import the certificate into Prime Infrastructure. It contains the following sections:
- Prerequisites
- Certificate Signing Request (CSR)
- Generating a Certificate Signing Request (CSR) File
- Get a Signed Certificate for CSR from Microsoft Certificate Authority (CA)
- Importing a Certificate Authority (CA) Certificate and Key
- Viewing the list of Certificates
- Deleting Certificates
- Related Publications
Prerequisites
Ensure that you meet these requirements before you attempt this configuration:
- Knowledge of how to install and configure Prime Infrastructure for basic operation
- Knowledge of self-signed and digital certificates, and other security mechanisms related to Public Key Infrastructure (PKI)
For more information about the supported hardware, see the Prime Infrastructure release notes at the following URL:
http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/products-release-notes-list.html
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Certificate Signing Request (CSR)
A certificate is an electronic document that you use to identify a server, a company, or some other entity and to associate that identity with a public key.
A self-signed certificate is an identity certificate that is signed by its own creator. That is, the person who created the certificate also signed off on its legitimacy.
Certificates can be self-signed or can be attested by a digital signature from a certificate authority (CA).
CAs are entities that validate identities and issue certificates. The certificate issued by the CA binds a particular public key to the name of the entity that the certificate identifies, such as the name of a server or device. Only the public key that the certificate certifies works with the corresponding private key possessed by the entity that the certificate identifies. Certificates help prevent the use of fake public keys for impersonation.
A CSR is a message that an applicant sends to a CA to apply for a digital identity certificate. Before a CSR is created, the applicant first generates a key pair, which keeps the private key secret. The CSR contains information that identifies the applicant, such as a directory name in the case of an X.509 certificate, and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request.
The CSR can be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority can contact the applicant for further information. For the most part, a third-party CA company, such as Entrust or VeriSign, requires a CSR before the company can create a digital certificate.
CSR generation is independent of the device on which you plan to install an external certificate. Therefore, a CSR and a private key file can be generated on any individual machine which supports CSR generation. CSR generation is not switch-dependent or appliance-dependent in this case.
This appendix describes how to generate a CSR for a third-party certificate using the Cisco Prime Infrastructure.
Generating a Certificate Signing Request (CSR) File
An SSL certificate can be obtained from a third party. To set up this support, you must:
1.
Generate a Certificate Signing Request file.
2. Submit the signing request to a Certificate Authority you choose.
3. Apply the signed Security Certificate file to the server.
Step 1 Generate a Certificate Signing Request (CSR) file for the Prime Infrastructure server:
a. At the Prime Infrastructure appliance, exit to the command line.
b. At the command line, log in using the administrator ID and password used to install Prime Infrastructure.
c. Enter the following command to generate the CSR file in the default backup repository:
- ncs key genkey -newdn -csr CertName .csr repository RepoName
– CertName is an arbitrary name of your choice (for example: MyCertificate.csr).
– RepoName is any previously configured backup repository (for example: defaultRepo).
Step 2 Copy the CSR file to a location you can access. For example:
copy disk:/ RepoName / CertName .csr ftp://your.ftp.server
Step 3 Send the CSR file to a Certificate Authority (CA) of your choice.
Note Once you have generated and sent the CSR file for certification, do not use the genkey command again to generate a new key on the same Prime Infrastructure server. If you do, importing the signed certificate file will result in mismatches between keys in the file and on the server.
Step 4 You will receive a signed certificate file with the same filename, but with the file extension CER, from the CA. Before continuing, ensure:
Step 5 At the command line, copy the CER file to the backup repository. For example:
- copy ftp://your.ftp.server/ CertName .cer disk: RepoName
Step 6 Import the CER file into the Prime Infrastructure server using the following command:
- ncs key importsignedcert CertName .cer repository RepoName
Step 7 Restart the Prime Infrastructure server by issuing the following commands in this order:
Step 8 If the Certificate Authority who signed the certificate is not already a trusted CA: Instruct users to add the certificate to their browser trust store when accessing the Prime Infrastructure login page.
Get a Signed Certificate for CSR from Microsoft Certificate Authority (CA)
You must take the CSR, load it into the Microsoft CA, and have it signed as an Internet certificate. Once you do this, you get a new *.csr file that shows a path where the Microsoft CA is the trusted root and not the Prime Infrastructure. Complete these steps in order to submit the CSR to CA if your CA is a Windows 2008 Server.
Step 1 Open the CSR file you downloaded in to Notepad and copy the entire contents including the ---BEGIN CERTIFICATE --- and ---END CERTIFICATE -- lines.
Step 2 Go to http://<certificate server address>/certsrv in order to open the Certificates Server web page.
Step 3 Enter your username and password.
Step 4 Click Request a certificate.
The Request a Certificate web page appears.
Step 5 Click the advanced certificate request link.
The Submit a Certificate Request or Renewal Request web page appears.
Step 6 Paste the content you copied in Step1 into the Saved Request field, choose Web Server in the Certificate Template drop-down list, and click Submit.
Step 7 On the Certificate Issued web page, click the DER encoded radio button, and then click Download certificate.
Step 8 Save the file to your local computer.
Importing a Certificate Authority (CA) Certificate and Key
Step 1 At the command line, log in using the administrator ID and password and enter the following command:
ncs key importcacert aliasname ca-cert-filename repository repositoryname
Step 2 To import an RSA key and signed certificate to Prime Infrastructure, enter the following command in admin mode:
ncs key importkey key-filename cert-filename repository repositoryname
Step 3 Restart the Prime Infrastructure server by issuing the following commands in this order:
Viewing the list of Certificates
To list all the CA certificates that exist in Prime Infrastructure trust store, use Prime Infrastructure key listcacerts command.
This example shows how to list all the CA certificates exist in Prime Infrastructure trust store:
Deleting Certificates
To delete CA certificates that exist in Prime Infrastructure trust store, use Prime Infrastructure key deletecacert command.
ncs key deletecacert aliasname
This example shows how to delete CA certificates exist in Prime Infrastructure trust store:
Related Publications
For more information about Prime Infrastructure, see the following URL:
http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/tsd-products-support-series-home.html
Feedback