We just went through this process a month ago. Here is our documented steps:
Generate a server private key
Login as root to NAC using putty. Run the following two commands:
openssl genrsa 2048 | openssl pkcs8 -topk8 -out server.key
openssl req -new -reqexts server_auth -key server.key -out server.csr
Create a certificate signing request
Using WinSCP, login using root. Copy the server.csr and server.key file to your local computer from the NAC.
• Open your browser and go to http:///certsrv/
• Request a certificate
• Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
• Copy the contents of the server.csr into the saved request box, insure there are no extra blank lines.
• Choose your NAC profile in the Certificate Template Box.
• Click the Submit Button.
• Download the entire certificate chain
-If downloading times out thru the web brownser (we opened a Microsoft support case because ours did) you can open the MMC on the Windows PKI server and add Certificates and do a certificate export there (if you need more detailed steps on this let me know)
Install certificate chain on the NAC
Log into the NAC Manager
• In NAC Manager, select the All NAC Appliances folder in the left-panel tree. In the right-panel NAC Appliances tab, right-click on the desired appliance and select Manage Appliance Certificates. The Manage Appliance Certificates window opens.
• Click the Update Certificate button for the RADIUS certificate you wish to replace. The Server Certificate window for that certificate will open.
• In the Private Key section, provide a file containing the private key that corresponds to the certificate. It must be encoded as a PKCS #8 file. Enter the path name of the file or use the Browse button to navigate to the file. If the file is encrypted with a password, check the password box and supply the password in the field.
• In the Certificate Files section, use the Add Files button to add one or more certificate files as provided by the certificate authority. This includes the server certificate, as well as any intermediate or chained certificates. You can multi-select files in the file chooser window, and the files can be added in any order.
• Click OK. You will see a confirmation window listing your file information so that you can confirm that the information you have provided is correct. Click Yes to proceed with the certificate replacement. The private key and server certificate will be updated in the appliance configuration in the NetSight database.
• Repeat the process for the AAA Trusted Certificate Authorities. Add the entire certificate chain and then remove the server certificate. There should be two CA certificates remaining.
• Enforce the appliance to deploy the new private key and server certificate. When enforced, the server's secure ports will be offline for 15 seconds to reload the certificate:
• You have replaced the RADIUS Server certificate, the RADIUS server on the appliance will be restarted to automatically to load the new certificate.
You may Verify the Contents of the Server Certificate
If it is important to verify that the new server certificate contains the data you supplied when creating the CSR. In particular, make sure the Common Name (CN) is the fully qualified host name of the NAC appliance.
Use OpenSSL to view the contents of the server certificate file server.crt using the following command:
openssl x509 -in server.crt -text -noout