NAC RADIUS certificate generation with Windows CA

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
I'd like to generate a new RADIUS certificate for my NAC using my Windows CA.
I can't find my notes from 2 years ago and stuck again - I had a hard time last time to get it right.
Anyone that could share a step by step guide.

So far I've done the following..
- ssh to the NAC
openssl genrsa 2048 | openssl pkcs8 -topk8 -out nacvienna.key
openssl req -new -reqexts server_auth -key nacvienna.key -out nacvienna.csr

On my windows CA open a browser to generate the user cerificate.
But I'm not sure on which format and how to export it.

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 42,314 Points 20k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,034 Points 1k badge 2x thumb
Hi Ron,

Some of this information is in NetSight's Help, so here are two articles you can review, albeit it looks like you went through these steps already:

As for the Windows CA, your certificate enrollment looks to be web enrollment.  You need to make sure the templates are listed there that will provide the EKU needed for RADIUS.  What do you see there for cert templates?  The required EKU's are listed in the Help and I believe in the articles above.  These pertain to PEAP vs TLS for example.

Scott Keene
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Hi Ron,

A little addition to Scott's post.

For your RADIUS Server you need a server certificate Template on your Windows CA with the Extended Key Usage "ServerAuth" (e.g. Web Server). I assume the CA is running as an Enterprise CA (Active Directory integrated). As format use Base64.

Web Enrollment Interface: https://<CA>/certsrv

Best Regards


Photo of Darin Seiler

Darin Seiler

  • 372 Points 250 badge 2x thumb

We just went through this process a month ago. Here is our documented steps:

Generate a server private key
Login as root to NAC using putty.  Run the following two commands:

openssl genrsa 2048 | openssl pkcs8 -topk8 -out server.key
openssl req -new -reqexts server_auth -key server.key -out server.csr

Create a certificate signing request
Using WinSCP, login using root.  Copy the server.csr and server.key file to your local computer from the NAC.
•       Open your browser and go to http://<PKIWindowsServer>/certsrv/
•       Request a certificate
•       Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.<certrqxt.asp>
•       Copy the contents of the server.csr into the saved request box, insure there are no extra blank lines.
•       Choose your NAC profile in the Certificate Template Box.
•       Click the Submit Button.
•       Download the entire certificate chain
 -If downloading times out thru the web brownser (we opened a Microsoft support case because ours did) you can open the MMC on the Windows PKI server and add Certificates and do a certificate export there (if you need more detailed steps on this let me know)
Install certificate chain on the NAC
Log into the NAC Manager
•       In NAC Manager, select the All NAC Appliances folder in the left-panel tree. In the right-panel NAC Appliances tab<tam_tab_alltagsf_tags.html>, right-click on the desired appliance and select Manage Appliance Certificates. The Manage Appliance Certificates window<nac_at_man_app_certs.html> opens.
•       Click the Update Certificate button for the RADIUS certificate you wish to replace. The Server Certificate window for that certificate will open.
•       In the Private Key section, provide a file containing the private key that corresponds to the certificate. It must be encoded as a PKCS #8 file. Enter the path name of the file or use the Browse button to navigate to the file. If the file is encrypted with a password, check the password box and supply the password in the field.
•       In the Certificate Files section, use the Add Files button to add one or more certificate files as provided by the certificate authority. This includes the server certificate, as well as any intermediate or chained certificates. You can multi-select files in the file chooser window, and the files can be added in any order.
•       Click OK. You will see a confirmation window listing your file information so that you can confirm that the information you have provided is correct. Click Yes to proceed with the certificate replacement. The private key and server certificate will be updated in the appliance configuration in the NetSight database.
•       Repeat the process for the AAA Trusted Certificate Authorities.  Add the entire certificate chain and then remove the server certificate.  There should be two CA certificates remaining.
•       Enforce the appliance to deploy the new private key and server certificate. When enforced, the server's secure ports will be offline for 15 seconds to reload the certificate:
•       You have replaced the RADIUS Server certificate, the RADIUS server on the appliance will be restarted to automatically to load the new certificate.

You may Verify the Contents of the Server Certificate

If it is important to verify that the new server certificate contains the data you supplied when creating the CSR. In particular, make sure the Common Name (CN) is the fully qualified host name of the NAC appliance.
Use OpenSSL to view the contents of the server certificate file server.crt using the following command:
openssl x509 -in server.crt -text -noout