Create SAN Certificates for IND and ISE pxGrid Integration Using OpenSSL

Available Languages

Download Options

  • PDF     (929.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.0 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (589.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 14, 2023
Document ID:220890

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

This document describes how to create SAN certificates for pxGrid integration between Industrial Network Director (IND) and Identity Services Engine.

Background Information

When creating certificates in Cisco ISE for pxGrid use, server short hostnames cannot be entered into the ISE GUI as ISE allows only the FQDN or IP address.

To create certificates that include the hostname as well as FQDN, a certificate request file must be created outside of ISE.  This can be done using OpenSSL to create a Certificate Signing Request (CSR) with Subject Alternative Name (SAN) field entries.

This document does not include comprehensive steps to enable pxGrid communication between the IND server and the ISE server.  These steps can be used after pxGrid has been configured, and it has been confirmed that the server hostname is required.  If this error is found in the ISE Profiler log files, communication requires the hostname certificate.

Unable to get sync statusjava.security.cert.CertificateException: No subject alternative DNS name matching <IND server hostname> found.

Steps for initial deployment of IND with pxGrid communication can be found at https://www.cisco.com/c/dam/en/us/td/docs/switches/ind/install/IND_PxGrid_Registration_Guide_Final.pdf

Applications Required

  • Cisco Industrial Network Director (IND)
  • Cisco Identity Services Engine (ISE)
  • OpenSSL
    • In most modern Linux versions, as well as MacOS, the OpenSSL package is installed by default. If you find that commands are not available, please install OpenSSL using your operating system’s package management application.
    • Information about OpenSSL for Windows can be found at https://wiki.openssl.org/index.php/Binaries

Additional Information

For the purpose of this document, these details are used:

  • IND Server hostname: rch-mas-ind
  • FQDN:  rch-mas-ind.cisco.com
  • OpenSSL configuration: rch-mas-ind.req
  • Certificate request file name: rch-mas-ind.csr
  • Private key file name: rch-mas-ind.pem
  • Certificate file name: rch-mas-ind.cer

Process Steps

Create the certificate CSR

  1. On a system with OpenSSL installed, create a request text file for OpenSSL options including SAN information.
    • Most “_default” fields are optional, as answers can be entered while running the OpenSSL command in step #2.
    • SAN details (DNS.1, DNS.2) are required and must include both the DNS short hostname, and server’s FQDN.  Additional DNS names can be added if needed, using DNS.3, DNS.4, and so on.
    • Example request file text file:

      [req]
      distinguished_name = name
      req_extensions = v3_req

      [name]
      countryName = Country Name (2 letter code)
      countryName_default = US
      stateOrProvinceName = State or Province Name (Full Name)
      stateOrProvinceName_default = TX
      localityName = City
      localityName_default = Cisco Lab
      organizationalUnitName = Organizational Unit Name (eg, IT)
      organizationalUnitName_default = TAC
      commonName = Common Name (eg, YOUR name)
      commonName_max = 64
      commonName_default = rch-mas-ind.cisco.com
      emailAddress = Email Address
      emailAddress_max = 40

      [v3_req]
      keyUsage = keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth
      subjectAltName = @alt_names

      [alt_names]
      DNS.1 = rch-mas-ind
      DNS.2 = rch-mas-ind.cisco.com
  2. Use OpenSSL to create CSR with DNS short hostname in SAN field. Create a private key file in addition to CSR file.
    • Command:
         openssl req -newkey rsa:2048 -keyout <server>.pem -out <server>.csr -config <server>.req
    • When prompted, enter a password of your choice.  Be sure to remember this password, as it is used in later steps.
    • Enter a valid email address when prompted or leave the field blank and press <ENTER>.
      wiransom_0-1693525602301
  3. If desired, verify the CSR file information. For a SAN certificate, check for “x509v3 Subject Alternative Name” as highlighted in this screenshot.
    • Command line:
         openssl req -in <server>.csr -noout -text
      wiransom_1-1693526190346

  4. Open the CSR file in a text editor.  For security reasons, the sample screenshot is incomplete and edited.  The actual generated CSR file contains more lines.
    wiransom_2-1693526378077
  5. Copy the private key file (<server>.pem) to your PC as it is used in a later step.

Use Cisco ISE to generate a certificate, using the created CSR file information

Within the ISE GUI:

  1. Remove the existing pxGrid client.
    • Navigate to Administration > pxGrid Services > All Clients.
    • Find and select the existing client hostname, if listed,
    • If found and selected, click the Delete button, and choose “Delete Selected.”  Confirm as needed.
  2. Create the new certificate.
    • Click on the Certificates tab on the pxGrid services page.
    • Choose the options:
      • “I want to”:
        • “Generate a single certificate (with certificate signing request)”
      • “Certificate Signing Request Details:
        • Copy/paste the CSR details from the text editor.  Be sure to include the BEGIN and END lines.
      • “Certificate Download Format”
        • “Certificate in Privacy Enhanced Electronic Mail (PEM) format, key in PKCS8 PEM format.”
      • Enter a certificate password and confirm it.
      • Click the Create button.
        wiransom_3-1693526643994
      • This creates and downloads a ZIP file that contains the certificate file as well as additional files for the certificate chain. Open the ZIP and extract the certificate.
        • The filename is normally <IND server fqdn>.cer
        • In some versions of ISE, the filename is <IND fqdn>_<IND short name>.cer

Import the new certificate into the IND server, and enable it for pxGrid use

Within the IND GUI:

  1. Disable the pxGrid service, so the new certificate can be imported and set as the active certificate.
    • Navigate to Settings > pxGrid.
    • Click to disable pxGrid.
      wiransom_4-1693526709703
  2. Import the new certificate into System Certificates.
    • Navigate to Settings > Certificate Management.
    • Click onto “System Certificates”
    • Click “Add Certificate.”
    • Enter a certificate name.
    • Click “Browse” to the left of “Certificate”, and locate the new certificate file.
    • Click “Browse” to the left of “Certificate”, and locate the private key saved when creating the CSR.
    • Enter the password previously used when creating the private key and CSR with OpenSSL.
    • Click “Upload.”
      wiransom_5-1693526709706
  1. Import the new certificate as a trusted certificate.
    • Navigate to Settings > Certificate Management, click on “Trusted Certificates.”
    • Click “Add Certificate.”
    • Enter a certificate name; this must be a different name than the one used on System Certificates.
    • Click “Browse” to the left of “Certificate” and locate the new certificate file.
    • The password field can be left empty.
    • Click “Upload.”
      wiransom_6-1693526709709
  1. Set pxGrid to use the new certificate.
    • Navigate to Settings > Certificate Management, click on “Settings.”
    • If not already done, select “CA Certificate” under “pxGrid.”
    • Select the system certificate name created during the certificate import.
    • Click Save.

Enable and register pxGrid with the ISE server

Within the IND GUI:

    1. Navigate to Settings > pxGrid.
    2. Click the slider to Enable pxGrid.
    3. If this is not the first time registering pxGrid with ISE on this IND server, choose “Connect Using the Existing Node.”  The IND node and ISE server information automatically populates.
    4. To register a new IND server to use pxGrid, if needed, choose “Register a New Node”.  Enter the IND node name and choose ISE servers as needed.
      • If the ISE server is not listed within the dropdown options for Server 1 or Server 2, it can be added as a new pxGrid server using Settings > Policy Server

wiransom_7-1693526767771

  1. Click Register. A confirmation is shown on-screen.
    wiransom_8-1693526767771

Approve registration request in ISE server

Within the ISE GUI:

  1. Navigate to Administration > pxGrid Services > All Clients.  A request Pending Approval shows as “Total Pending Approval(1).”
  2. Click on “Total Pending Approval(1)” and select “Approve All.”
    wiransom_9-1693527351129
  3. On the pop-up that appears, click “Approve All.”
    wiransom_10-1693527351130
  4. The IND server shows as a client, as shown here.
    wiransom_11-1693527351134

Activate pxGrid service in IND server

Within the IND GUI:

  1. Navigate to Settings > pxGrid.
  2. Click on “Activate.”
    wiransom_12-1693527449905
  3. A confirmation is shown on-screen.
    wiransom_13-1693527449906

Revision History

Revision Publish Date Comments
1.0
14-Sep-2023
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Andy Ransom
    Cisco CX Centers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products