How to hack the certificate for a Cisco Identity Services Engine node

A guide to hacking and customizing certificates for Cisco Identity Services Engine.

Final Cert

Figure14 - Final Certificate

Credit: Aaron Woland

I just got back from a few weeks traveling around Europe, presenting at Cisco Live Europe, and meeting with customers and partners. It is obvious that this blog is very much needed for a lot of the deployments that we discussed, so as promised in the Load Balancing Blog, I am following up with a blog on how to "hack" the certificate for a Cisco Identity Services Engine (ISE) node, so that we may include entries in the Subject Alternative Name (SAN) field.

Why do we need to do this? 

There will be plenty of occasions in which you’ll want to reach ISE with a DNS name that is not the exact same as its hostname. If you’ve ever tried to reach an https:// website by IP address, you most likely have experienced the web browser arguing that the certificate name is mismatched and that the browser requires you to accept the warning in order to proceed. An example is shown below.

Name Mismatch Aaron Woland

Figure1 - Name Mismatch

Cisco ISE has a few different portals that you may connect to:

  • Sponsor Portal: https://ISE:8443/sponsorportal/. This portal is for employees of your company to login and create guest accounts. Obviously, telling an employee to connect to this URL will be very tedious, and a friendlier name will be needed.
  • MyDevices Portal: https://ISE:8443/mydevices/. This portal is for employees of your company to login and manage the personal devices they are allowed to register for network access. Obviously, telling an employee to connect to this URL will be very tedious, so again, a friendlier name will be needed.

So, ISE can use HTTP host-headers to use friendly names, and redirect traffic destined to that friendly name to the correct URL/port. This is set under Administration/Web Portal Management/Settings/General/Ports.

Friendly Names Aaron Woland

Figure2 - Friendly Names

If you were to use "hotspot.CompanyX.com," it would not match what was in ISE’s certificate for the web portals. The certificate will only match the actual hostname (such as: atw-cp-ise04.cisco.com). This results in a certificate mismatch error, and the user experience will be less than desirable.

How do I fix this?

Standard X.509 certificates provide fields to allow a certificate to match more than one URL. This is known as the Subject Alternative Name field. This certificate field may be populated with other DNS names, other IP Addresses, and more.

Using the Subject Alternative Name field will prevent the certificate errors. However, Cisco ISE does not provide the ability to populate these fields when generating a Certificate Signing Request (CSR) to be sent to the Certificate Authority for signing.

What is the “Hack”?

While the ISE user interface may not provide the ability to populate the SAN field with its own Certificate Signing Request (CSR), it is still just an X.509 certificate, which is a standard. Why don’t we just export the public and private certificate from ISE and use OpenSSL to generate the CSR instead?

(Note: We have tried this with MAC-OS, since OpenSSL is built into it, but it did not work for us. We did have success with using OpenSSL on Windows and Linux. I am going to focus on using the Windows implementation of OpenSSL for this blog entry. You can download OpenSSL from here)

Let’s Begin!

Step 1: To begin, you should generate a new self-signed certificate for the ISE node. Set the key length to be your desired key length (2048 for example). 

Generate Self Signed Certificate Aaron Woland

Figure3 - Generate Self Signed Certificate

Afterwards, you can reconnect to ISE and it will use the new certificate. Here I am viewing the new certificate, just to show you some fields. There is no Subject Alternative Name field, and you can see below that the subject is CN=atw-cp-ise01.ise.local (the fqdn of the ISE node). 

Certificate Aaron Woland

Figure4 - Certificate

Step 2: Export the Public and Private Certificate from ISE. The default format is a .zip file that contains both the public and private keys. In this case: "atwcpise01iselocalatwcpis.zip"

Export Certificate Aaron Woland

Figure5 - Export Certificate

Step 3: Extract the zip file and copy the .pem and .pvk files to the OpenSSL binary directory (C:\Program Files (x86)\GnuWin32\bin). 

Step 4: Create a customized configuration file for OpenSSL Certificate Signing Requests named openssl.cnf. A really nice walk through of the openssl.cnf file can be found here.

Example Config Aaron Woland

Figure6 - Example Configuration

Step 5: Now that your openssl.cnf file is ready with your certificate customizations, you will use OpenSSL to create a custom CSR file using the following command:

openssl req -key [PVK_file] -new -out [CSR_filename] –config [your_openssl.cnf_file]

Example CLI Aaron Woland

Figure7 - Example CLI

Step 6: Request a new Certificate from the CA. I used a Microsoft CA in this example.

CA Home Screen Aaron Woland

Figure8 - CA Home Screen

Step 7: Choose an Advanced certificate Request

Advanced Request Aaron Woland

Figure9 - Advanced Request

Step 8: Paste in the contents of the certificate request file generated in Step 5. Ensure the Certificate Template type is "Web Server."

Paste in CSR Aaron Woland

Figure10 - Paste in CSR

Step 9: Download the certificate in Base 64 (PEM) format. For best results, do not use DER format, and do not use the certificate chain.

Download Certificate Aaron Woland

Figure11 - Download Certificate

Step 10: Under Local Certificates, select Add and then Import Local Server Certificate

Import Certificate Aaron Woland

Figure12 - Import Certificate

Step 11: Import the Original Private key and new CA signed public key into ISE.

  • For Certificate File, choose the new CA signed certificate that you just downloaded from the CA. 
  • For the Private Key File, select the original private key that you exported.
Import Key Pair Aaron Woland

Figure13 - Import Key Pair

Step 12: Your ISE node will now be using the new CA signed certificate, with the Subject Alternative Names in it.

Final Cert Aaron Woland

Figure14 - Final Certificate

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.