Generate Csr With Public Key

Posted on by
Generate Csr With Public Key Average ratng: 4,2/5 6801 votes

Introduction

This document describes the procedure to generate certificates which have to be uploaded with every fresh installation of AMP Virtual Private Cloud (VPC). With the introduction of AMP Private Cloud 3.X, hostnames and certificate/key pairs are required for all of the following services:

It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification. To install the public key, Log into the server, edit the authorizedkeys file with your favorite editor, and cut-and-paste the public key output by the above command to the authorizedkeys file. Save the file. Configure PuTTY to use your private key file (here keyfile.ppk). Then test if login works.

  • Administration Portal
  • Authentication (new in Private Cloud 3.X)
  • FireAMP Console
  • Disposition Server
  • Disposition Server - Extended Protocol
  • Disposition Update Service
  • Firepower Management Center

Here, we will discuss a quick way to generate and upload the required certificates. You may tweak each of the parameters, including the hashing algorithm, key size, and others, as per your organization's policy, and your mechanism of generating these certificates might not match with what is detailed here.

Prerequisites

Components Used

Generate Csr With Public Key Largo

Cisco recommends that you have knowledge of these topics:

  • Windows Server 2008 onwards
  • AMP Private Cloud installation
  • Public Key Infrastructure

Requirements

The information in this document is based on these software and hardware versions:

  • Windows Server 2008
  • CentOS 7
  • AMP Virtual Private Cloud 3.0.2

Warning: The procedure mentioned below can vary as per your CA server configuration. It is expected that the CA server of your choice is already provisioned and the configuration of the same has been completed. The following technote just describes an example of generating the certificates and Cisco TAC will not be involved in troubleshooting issues related to certificate generation and/or CA server issues of any kind.

Generate Certificates on Window Server

Ensure that the following roles are installed and configured on your Windows Server.

  • Active Directory Certificate Services
  • Certification Authority
  • Certification Authority Web Enrollment
  • Online Responder
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service
  • Active Directory Domain Services
  • DNS Servers
  • Web Server (IIS)

Generate a Certificate Signing Request (CSR)

Step 1. Navigate to MMC console, and add the Certificates snap-in for your computer account as shown in the image here.

Step 2. Drill down Certificates (Local Computer) > Personal > Certificates.

Step 3. Right click on the empty space and select All Tasks > Advanced Operations > Create Custom Request

Step 4. Click Next at the Enrollment window.

Step 5. Select your certificate enrollment policy and click Next.

Generate Csr With Public Keyboard

Step 6. Choose the template as Web Server and click Next.

Step 7. If your 'Web Server' template has been configured correctly and is available for enrollment, you will see the status as 'Available' here. Click 'Details' to expand click on Properties.

Step 8. At a minimum, add the CN and DNS attributes. The rest of the attributes can be added as per your security requirements.

Step 9. Optionally, give a Friendly Name under the General tab.

Step 10. Click on the PrivateKey tab and ensure that you're enabling Make private key exportable under the Key Options section.

Step 11. Finally, click on OK. This should lead you to the Certificate Enrollment dialog from where you can click on Next.

Step 12. Browse to a location to save the .req file which will be submitted to the CA server for signing.

Submitting the CSR to the CA and generating the certificate

Step 1. Navigate to your MS AD Certificate Services Web Page as below and click 'Request a Certificate'

Step 2. Click on the advanced certificate request link.

Step 3. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 4. Open the contents of the previously saved .req file (CSR) via Notepad. Copy the contents and paste it here. Ensure that the Certificate Template is selected as Web Server

Step 5. Finally, click on Submit.

Step 6. At this point, you should be able to Download the certificate as shown in the image here.

Exporting the Private Key and converting to PEM format

Step 1. Install the certificate into your Certificate Store by opening the .cer file and clicking on Install Certificate.

Step 2. Navigate to the MMC snap-in that was selected earlier.

Step 3. Navigate to the store where the certificate was installed.

Step 4. Right click the correct certificate, select All Tasks > Export.

Step 5. At the Certificate Export Wizard, confirm to export the private key as shown in the image.

Step 6. Enter a password and click Next to save the private key on your disk.

Step 7. This will save the private key in .PFX format, however, this needs to be converted to .PEM format to use this with AMP VPC.

Step 8. Install OpenSSL libraries from here:https://wiki.openssl.org/index.php/Binaries

Step 9. Open a command prompt window and change to the directory where you installed OpenSSL.

Step 10. Run the following command to extract the private key and save it to a new file: (If your PFX file is not in the same path as where the OpenSSL library is stored, you will have to specify the exact path along with the filename)

Step 11. Now run the following command to also extract the public cert and save it to a new file:

Generate Certificate on Linux Server

Ensure that the Linux server that you're trying to generate the required certificates has the OpenSSL libraries installed. Verifying if this and the procedure listed below will vary from the Linux distribution that you're running. This portion has been documented, as done on a CentOS 7 server.

Generate Self Signed RootCA

Step 1. Generate the Private Key for Root CA certificate

Step 2. Generate the CA certificate

Generate a certificate for each service

Create the certificate for Authentication, Console, Disposition, Disposition-Extended, Update server, Firepower Management Center(FMC) service as per the DNS name entry. You need to repeat below certificate generate process for each service (Authentication, Console etc.)

Generate Private key

Replace the <example.key> with actual certificate key such as Auth-Cert.key.

Generate CSR

Replace the <example.csr> with actual certificate CSR such as Auth-Cert.csr

Generate Certificate

Replace <example.csr>, <example.crt> with actual certificate CSR and certificate name

Adding The Certificates to AMP VPC

Step 1. Once the certificates are generated from any of the above methods, upload the corresponding certificate for each of the services. If they have been generated correctly, all the check marks are enabled as seen in the image here.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Important: This example is intended to provide general guidance to IT professionals who are experienced with SSL requirements and configuration. The procedure described in this article is just one of many available methods you can use to generate the required files. The process described here should be treated as an example and not as a recommendation.

When you configure Tableau Server to use Secure Sockets Layer (SSL) encryption, this helps ensure that access to the server is secure and that data sent between Tableau Server and Tableau Desktop is protected.

Looking for Tableau Server on Linux? See Example: SSL Certificate - Generate a Key and CSR.

Tableau Server uses Apache, which includes OpenSSL. You can use the OpenSSL toolkit to generate a key file and Certificate Signing Request (CSR) which can then be used to obtain a signed SSL certificate. /little-snitch-3-license-key-generator-mac.html.

Steps to generate a key and CSR

To configure Tableau Server to use SSL, you must have an SSL certificate. To obtain the SSL certificate, complete the steps:

  1. Generate a key file.
  2. Create a Certificate Signing Request (CSR).
  3. Send the CSR to a certificate authority (CA) to obtain an SSL certificate.
  4. Use the key and certificate to configure Tableau Server to use SSL.

You can find additional information on the SSL FAQ page on the Apache Software Foundation website.

Configure a certificate for multiple domain names

Tableau Server allows SSL for multiple domains. To set up this environment, you need to modify the OpenSSL configuration file, openssl.conf, and configure a Subject Alternative Name (SAN) certificate on Tableau Server. See For SAN certificates: modify the OpenSSL configuration file below.

Set the OpenSSL configuration environment variable (optional)

To avoid using the -config argument with every use of openssl.exe, you can use the OPENSSL_CONF environment variable to ensure that the correct configuration file is used and all configuration changes made in subsequent procedures in this article produce expected results (for example, you must set the environment variable to add a SAN to your certificate).

Open the Command Prompt as an administrator, and run the following command:

set OPENSSL_CONF=c:Program FilesTableauTableau Serverpackagesapache.<version_code>confopenssl.cnf

Notes:

  • When setting the Open SSL configuration environment variable, do not enclose the file path with quotation marks.

  • If you are using a 32-bit version of Tableau Server on a 64-bit computer, run the set OPENSSL_CONF=c:Program Files (x86)TableauTableau Serverpackagesapache.<version_code>confopenssl.cnf command instead.

Generate a key

Generate a key file that you will use to generate a certificate signing request.

  1. Open the Command Prompt as an administrator, and navigate to the Apache directory for Tableau Server. For example, run the following command:

    cd C:Program FilesTableauTableau Serverpackagesapache.<version_code>bin

  2. Run the following command to create the key file:

    openssl.exe genrsa -out <yourcertname>.key 4096

    Note: This command uses a 4096-bit length for the key. You should choose a bit length that is at least 2048 bits because communication encrypted with a shorter bit length is less secure. If a value is not provided, 512 bits is used.

Create a certificate signing request to send to a certificate authority

Use the key file you created in the procedure above to generate the certificate signing request (CSR). You send the CSR to a certificate authority (CA) to obtain a signed certificate.

Important: If you want to configure a SAN certificate to use SSL for multiple domains, first complete the steps in For SAN certificates: modify the OpenSSL configuration file below, and then return to here to generate a CSR.

  1. Run the following command to create a certificate signing request (CSR) file:

    openssl.exe req -new -key yourcertname.key -out yourcertname.csr

    If you did not set the OpenSSL configuration environment variable, OPENSSL_CONF, you might see either of the following messages:

    • An error message about the config information being unable to load. In this case, retype the command above with the following parameter: -config .confopenssl.cnf.

    • A warning that the /usr/local/ssl directory cannot be found. This directory does not exist on Windows, and you can simply ignore this message. The file is created successfully.

    To set an OpenSSL configuration environment variable, see Set the OpenSSL configuration environment variable (optional) section in this article.

  2. When prompted, enter the required information.

    Note: For Common Name, type the Tableau Server name. The Tableau Server name is the URL that will be used to reach the Tableau Server. For example, if you reach Tableau Server by typing tableau.example.com in the address bar of your browser, then tableau.example.com is the common name. If the common name does not resolve to the server name, errors will occur when a browser or Tableau Desktop tries to connect to Tableau Server.

Send the CSR to a certificate authority to obtain an SSL certificate

Send the CSR to a commercial certificate authority (CA) to request the digital certificate. For information, see the Wikipedia article Certificate authority and any related articles that help you decide which CA to use.

Use the key and certificate to configure Tableau Server

When you have both the key and the certificate from the CA, you can configure Tableau Server to use SSL. For the steps, see Configure External SSL.

For SAN certificates: modify the OpenSSL configuration file

In a standard installation of OpenSSL, some features are not enabled by default. To use SSL with multiple domain names, before you generate the CSR, complete these steps to modify the openssl.cnf file.

  1. Open Windows Explorer and browse to the Apache conf folder for Tableau Server.

    For example: C:Program FilesTableauTableau Server<version_code>apacheconf

  2. Open openssl.cnf in a text editor, and find the following line: req_extensions = v3_req

    This line might be commented out with a hash sign (#) at the beginning of the line.

    If the line is commented out, uncomment it by removing the # and space characters from the beginning of the line.

  3. Move to the [ v3_req ] section of the file. The first few lines contain the following text:

    # Extensions to add to a certificate request
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment

    After the keyUsage line, insert the following line:

    subjectAltName = @alt_names

    If you’re creating a self-signed SAN certificate, do the following to give the certificate permission to sign the certificate:

    1. Add the cRLSign and keyCertSign to the keyUsage line so it looks like the following: keyUsage = nonRepudiation, digitalSignature, keyEncipherment, cRLSign, keyCertSign

    2. After the keyUsage line, add the following line: subjectAltName = @alt_names

  4. In the [alt_names] section, provide the domain names you want to use with SSL.

    DNS.1 = [domain1]
    DNS.2 = [domain2]
    DNS.3 = [etc]

    The following image shows the results highlighted, with placeholder text that you would replace with your domain names.

  5. Save and close the file.

  6. Complete the steps in Create a certificate signing request to send to a certificate authority section, above.

Additional information

If you prefer to use a different version of OpenSSL, you can download it from Open SSL for Windows.

HowThanks for your feedback!There was an error submitting your feedback. Try again or send us a message.