Cisco ISE : Installing External CA Signed Certificate | STEP BY STEP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there today we are going to have a look at installing external certificate authorities signed certificate on cisco ice so essentially the goal of this lab is to see how we get rid of the certificate issues while accessing or communicating with cisco ice using an external certificate authority server for certificate signing which will be windows 2012 in our case the end result will be that you won't be getting https errors or essentially certificate errors while accessing cisco ice via the gui and alongside that we can use the same certificate for authentication purposes for any mechanism that uses dls so why certificate or https errors occur well that is a huge topic and needs a video of its own but the most common one is that your device like windows and android have literally trust issues how this works is that all of the devices have a trusted drew certificate store in which a bunch of trusted certificate authorities of the world any certificate presented to the device that has their stamp of approval will essentially pass the untrusted root certificate error which is the most common for https or certificate errors but there are many more reasons you might get an https or certificate error for example root ca invalid which we just discussed common name invalid caused by mismatch in domain names and common names weak signature error caused by weak algorithms for example if you use sha1 instead of shot 2 expired certificate errors that is kind of self-explaining so our main focus in this lab will be on the root certificate issue alongside the common name problem that may occur now just to familiarize you with the basic topology we have an ice 2.7 server and a windows 2012 r2 server acting as a certificate authority in the server vlan residing in the subnet of 192.168.35.0 with a slash 24-bit subnet mask ice has an ip of 192.168.35.254 and the certificate authority server has an ip of 192.168.35.200 respectively now on the other side we have a vlan 25 which is the user vlan for both wired and wireless clients with a subnet of 192.168.25.0.24 with the windows machine having the ip address of 192.168.25.99 both these networks talk to each other via a router in the middle so we kind of have a rather on a stick approach here now basically three key players are present in the lab namely windows 10 machine acting as the client the windows eye server itself and the windows server 2012 acting as a certificate authority server neither the ice nor the windows machine know about this certificate authority server yet so they don't trust it although in production networks your domain computers may already trust your organization's certificate authority server for the action items of this lab we are going to download and install the certificate authorities certificate into the trusted certificate authority store of the windows 10 machine so that from here on out it trusts any certificate that has this certificate authorities approval or sign on it next up just like the windows machine ice 2 has a trusted certificate authority store called trusted certificates and before we move on to signing isis certificate from it it needs to be present there as a trusted certificate authority entity so we will be installing the same certificate on ice as well lastly cisco ice will generate a csr or a certificate signing request and get it signed from this certificate authority and finally we will move on to the installation of that certificate signed by the certificate authority that both the windows and ice trust now if you haven't already grab a cup of coffee because we are moving towards the lab and see stuff in action welcome to the lab part as i told you in the animation part that we have three main components of the game and that's the certificate authority server and windows 10 machine and ice server so let me just show you um the windows 10 machine for oh sorry the windows 2012 server first i have a remote desktop connection to it so we're going to be doing things if you need to okay uh the other part is of ice so we're going to take a connection to ice that's on 191632.100.254. as i told you in and actually you can actually see this yeah there it is so you can see the topology right now so we have ice on 254 so going back to ice as you can see we can have we have a cert error this error is particularly saying that certificate authority is invalid so means this windows this windows machine uh because i am on the windows machine right now so that windows 10 machine that you see is basically this machine which i am on right now so this is basically saying that the certificate authority is invalid so um so that means that um i'm not gonna trust that certificate which it is uh you know like giving me and this is the certificate and it if you see the certification path they're saying that basically this is a self-signed certificate by ice so we can also see here that this ca certificate is not trusted because it is not in the trusted root certificate authority store so what we're going to be doing in this lab first of all is going back the step one the step one says that what i'm going to be doing is i'm going to install the certificate authorities certificate on windows 10 machine so without wasting any time oh okay i'll just um go to advanced if i want to go uh deeper okay proceed and i'll just say okay yeah pretty this is the ice and just to give you a look and feel of the ice this is look and feel of the ice now my my windows 2012 r2 server has certificate services running on it you can run it as that as a standalone server as well if you want to but it's not actually compulsory to run it as a domain server uh or or any other server it can act as you know like a standalone ca if you need only certificate services from it my server is running like domain services and all that so just to give you look and feel i think i have it open in the yeah there it is that's my certificate authority his name is dr networks and um this is basically kind of like the console panel but i'm not gonna actually uh do this because i have web services running on this server so what i can do with that is is is i can just go let's minimize that okay i can just go to that server and because i have app services running on it so i can access my certificate authority via web so that's my username and password of my windows 2012 server so signing in okay first of all what i'm gonna be doing i'm gonna download the certificate from the certificate authority itself so what you need to do is only go to download see a certificate um as you can see i have a bunch of stuff running on my certificate authority but um just forget it so uh for your case maybe if you're doing this as in a lab setup there may be just one the current one um you have to select base64 from here and download see a certificate so i've got it downloaded just open it up and what i'll see is a certification path so so that means this is the certificate and it if i if i see the common name and stuff so there it is the con is doctor networks and dartmouth.com so um oh sorry what did i do let me download it again so what i need to do i i just need to install it that's my first step so i just do the install certificate and there are two options current user or local machine current user if you have multiple users if you have a domain machine uh in which multiple users do log in and maybe it's a knock team or something that they have shifts and they log in with their credentials so certificate installing a certificate that way is different so normally i would go for the local machine so that way it's in the machine so everyone has every user has that certificate so i wouldn't off for going into the automatic option i would go for place all certificates in the following store so i would browse and go to trusted root certificate authorities remember that uh warning that we got that isis certificate is stamped by a certificate authority which is not in my trusted root certificate authorities so i'll just go and say okay i'm placing the certificate in this certificate authority store uh trusted root certificate authority store so just finish that and import was successful now if i want to see if that certificate was installed correctly or not then there is a way let me just go to this guy and say uh search manager you could use certain manager insert mdr i think that's how you type it so you go to local computers i just go here i click on this certificate not any place else i'll just uh okay certificate is local so i'll go to action and say find certificates so i'll say doctor that will pop up and you as you can see i see my certificate and that is store file in the trusted root certificate authority so we're done with step one let me just go back to my slides okay so here it is we've done step one now it's time for step two we install the certificate authority certificate into ice now it's kind of like the same way that we just did with the windows um for um where is it okay so i'm going to the gui of eyes now so what i did is actually rename that certificate and put it on the desktop so that it's easily accessible i go into administrations certificates and there is a certificate authority store basically that is called trusted certificates now before i get my certificate assigned by this guy this certificate authority i need to trust it first okay um so there are a bunch of them but um you know like i have my own infrastructure here so i would need to import that certificate so i'll just do an import i'll choose the file let's go to desktop over here and root c is certificate that i just renamed that okay uh don't get confused so i'll just say doctor networks okay ca okay um if you want to use a certificate authority for client authentications as well so you could click this option okay and let's go submit all right so we've got it there it is so that certificate authority is in our trusted store now so that's done by step two um now comes step three that is i need to generate a csr certificate signing request from ice and then i need to uh request a certificate from the certificate authority now both windows 10 and ice trust this certificate authority so what i need to do now is actually generate the csr why do i need to generate it because this certificate that i am presenting the windows machine uh is basically signed by me so if i generate a certificate request and get it signed by this guy here so windows 10 now trusts this guy right this certificate toward your mind so it'll be like okay you belong to you have a stamp of approval from a certificate authority that i trust so i'm not going to get uh https ever because i also trust that certificate authority you get it so what's up or what's next okay um so so here it is you go to certificate signing requests you generate a request and what we're going to be doing here is i'm going to use this certificate for multiple purposes so the nodes is i have only one node so i'm going to say okay for this node i'm going to go for that okay before i go into this one thing you need to make sure let me just go to deployment and open a new tab uh maybe i have the icu cli but i don't want to make things complicated right now so okay it's popped up now if if you go to ice this is the one known you see it's fully qualified domain name right so this domain name should be resolvable from my windows so if i do uh i'll just go there if i do a command prompt if i do a command prompt and say ping um it's basically the dna's name is is cdn or maybe it's dni is one minute oh dnise dn ise doctor networks dot com and do a ping it's pingable and that is because actually i have a dns entry my dns is basically my router so i already have this entry over here on my router so as you can see that's why i'm able to resolve it so if you have a dnf server you should be able to resolve it okay so um coming back to the certification request what i'm gonna do is i'm gonna say okay the common name and there's a long story about this because common name is going away uh truth be told so but it's still there so the common name should be exactly uh dn.ise.networks.com but its significance is very much deprecated right now so i mean um i'll show you when i get to this subject alternative name so it's it's a great concept okay organizational unit is um i'll say it organization is doctor networks dot com i'll just uh okay just talking networks okay city is a la char where i am lahore and punjab punjab it's punjab i know i'm just trying to be like uh hungry okay so uh pk okay okay now pke uh okay um this is the most not most important but actually uh it's it's pretty pretty great um what this is is basically um sen it stands for sense subject alternative name that means that i want to give you an example okay first of all i'll just copy and paste it here and i'll just add another entry saying at 192.168.235.254. now this is kind of mandatory right now that you that does common name should be as ascend name as well say than dns name because i've seen problems if you don't have this uh the san diana's name as such this is because what sand does basically is say okay one website or one uh you know page that i'm accessing one device can be accessed by uh multiple domain names or ip addresses not multiple libraries obviously ipads will be the same but the domain names can be changed so to actually show you that i would say okay i'm going to access iserver with an ip addresses as well because the problem is that if i don't do this um i'm going to show you actually what my windows and my browser do is actually check the common name of the certificate that is presented to me and issuer and subject alternative if anything is um different from this means i can access ice via this domain let me just tell you let me just show you okay i can access ice from this domain right so here is the admin page now i can also access ice with an ip address now all you guys that are in it you normally don't actually use names right so if you're like me i just love using ip addresses so i'm like too much into ip addresses so i'm going to be accessing the ice server with an ip or maybe with a domain so what do i do in that in that case because when i try to ipv when i try to access my ip address it's going to give me an error saying the common name is a mismatch and you can't do that the certificate will not be this error which is which it is showing right now it's going to be a common name error and the error is would be specifically error underscore search underscore common name invalid so to mitigate that sam just kicked in and just resolved this issue altogether now what you can do is you can have multiple names of the same server so what i'm going to do to test this out is i'm going to say okay even if it i type if i type in uh dn is.networks.net i want it to be valid means my windows my browser will not say that it's not is secure the common name error is not there okay so that's about it so i'm generating the certificate now the problem is that uh my guess it's basically trying to resolve the ice machine is trying to resolve dnise.networks.net now let me just see i think i have wireshark open somewhere or maybe not let me just see if it is actually doing that in the back end give me a second uh let's see i have a sniff adopter i actually have two adapters on my windows server one is for sniffing packets now okay there it is i think this is it um let's see what curie they're doing come on curies no it's just a different creating uh let me just generate that again and see if i can find that query um so you want to see no i'll just do it again generate and let's see if it does oh there it is oops let me just pause this and so what ice does when you're doing that is basically on the back end it checks for that domain name that you're trying to put into the sand certificate and where did it go you saw it right oh there it is so um the response is coming up that no such domain exists and that is from 35.254 that is the gateway so that is this router actually the router doesn't have any any entry of net okay so that's why that's the problem so it's saying if you if you still like to proceed even though we can't resolve the name so all right i'll say okay i'll just proceed okay um it's gonna come up and we're gonna export that certificate and put it into the there it is i'm just gonna show in folder oh there it is so right click on it open it with notepad or notepad plus plus whatever you have and just copy this certificate syntax and let's go to the microsoft certificate services and this time let's go back this time i'm going to request a certificate and i'm requesting a certificate and i'm going to say okay it's going to be an advanced uh so the base64 encoded certificate i mean this this was in base64 so i'm going to copy and paste that i i actually just copied that and then just pasted that so next thing what i'm doing is i'm going to say it's going to be for our web server template okay uh submit it and we're going to download that in base64 encode and everything you do is base64 encoded so downloading the certificate and i'll just open showing folder what i'm going to do is i'm going to cut it and go to okay i'm going to paste it here i'm going to say this is certificate 13 okay what was that this is signed cert all right so now i'm gonna go to ice which i have open in this okay okay this is done now i'm gonna click on certificate signing request again where i generated this request and i'm gonna click that specific certificate request that i generated i'm going to click buy certificate so choose that certificate which you have on your desktop that is the sign cert which you just got sure okay um i'm going to say it's dn signed cert so i'm going to use this for admin as you can see it's part of the portal adam poll if i need to i'll just click eat authentication but we're not going to be showing uh each authentication in this lab but you know still i i'll just click almost all of them because uh picksword uses a different kind of certificate because it requires client and server authentication both of them so we're not going to click that because it's going to generate an error it's saying it's going to say that template does not have user authentication okay all my certificates will be using this this uh uh signed certificate so i'm gonna hit submit now what's gonna happen hopefully if uh enabling admin rollover will call it okay what it's saying it's gonna restart the application services so whenever you're doing this in production maybe your certificate has is expiring what you're going to do is you're going to put in this certificate um make sure that you have a down time to you know like take care of all this so i'll just click yes and it's going to take some time so it's it's now basically saying that the things you are basically portal tags already assigned to this certificate this was the default certificate the certificate that the ice is showing me as of right now um this was a default certificate we're gonna take it away from it and it's gonna take some time now so i'm gonna pause this video um because it's gonna take like 20 to 25 minutes because my ram and everything is very less as compared to a production environment so stay tuned all right the ice is back so the way i checked it actually is via the cli of ice i basically ssh in device and hit the command show application status ice and it shows me that application server is indeed running now let's just verify for the time being i'm still having the same certificate and uh it's it's it's showing me okay the certificate is okay so what the problem is i don't know let me check it meets with the browser let me check let me just open the browser again and open uh another session to ice oh there it is now as you can see i'm opening it from the ip address of 35 or 254 and still showing me a connection is secure because everything is valid right now now the thing is a certification path if you see someone sign this certificate and that someone is a certificate authority that we trust so we trust this certificate authority that signed its certificate and it if you look at the san you can see that there are different um domains okay uh the first domain name is there uh dot com this is the one that is actually the domain name of the ice uh also with the ip you can open with ip address now because we have an option you know it it also can work with this one let me just show you this and we just and we'll just sign off now uh let me just show you really quick this one i'll just go to this guy and say uh show me the host um there are a lot of host names so what i'm going to be doing is so i'll just put in ip host and i'll say dnis.net and say 192.168.35.254 so it's basically pointing towards ice as well so if you want to check that out i'll just go and say there's a command prompt i'll say okay um the net does it point towards it right so it's resolvable and spinnable so let me just check that so first of all let's check the okay i already have that dot com so that is dot com okay definitely okay so connection is secure uh let's try dotnet and as you can see dotnet also works but if for some instance i i go a little bit goofy kind of a thing that i say okay i'm gonna be you know like uh using dot what is it c a canada as this as well so what's gonna happen is when i try to open that try to open that it's resolvable because i've made it but look at that cert common name invalid if it was present in the send this error wouldn't appear okay so that's about it you can use the same certificate for authentication as well and we will do that in another video this has been a long video for you guys so thank you so much and i hope this has been informative for you and i like to thank you for viewing

Info

Channel: Doctor Networks

Views: 1,663

Rating: 5 out of 5

Keywords: cisco ise, cisco ise certificate, ise certificate, external certificate ise, ise external certificate

Id: 77N_tUc0-Ng

Channel Id: undefined

Length: 29min 30sec (1770 seconds)

Published: Sun May 23 2021