Overview:

文件內容為使用OpenSSL來產生CSR,將CSR資訊提供給Third-Party CA Server來產出根憑證、設備憑證以及中繼憑證,並將憑證合併,用OpenSSL來產出WLC憑證,將其匯入至WLC。

主要會有以下幾點操作步驟。
1.CSR with OpenSSL
2.Certificate Download from a Third-Party CA
3.Certificate Chaining
4.Downloading Third-Party Certificate to the WLC

 

Components Used:

●Cisco WLC 5508 that runs Firmeare Version 8.0.152
OpenSSL application for Microsoft Windows
●Enrollment tool that is specific to the third-party Certification Authority (CA)
 
Step 1:CSR with OpenSSL
 
1.使用Windows平台需安裝OpenSSL應用程式來產生CSR
2.使用MacOS平台作業系統本身有內建OpenSSL,即可開啟使用
3.安裝OpenSSL應用程式
 
Note:
如果WLC 8.0以前版本建議使用OpenSSL Version 0.9.8,不建議使用OpenSSL Version 1.0(refer to Cisco bug ID CSCti65315)
WLC 8.0(含)版本之後建議可以使用OpenSSL Version 1.1或之後版本來進行使用
 
4.打開OpenSSL應用程式,以Windows平台為例,openssl.exe is located at C:\ > openssl > bin
5.輸入以下指令並填寫資料來產出CSR及Private Key
 
OpenSSL>req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -config openssl-san.cnf
 
OpenSSL畫面視窗
 
 
OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -config openssl-san.cnf
Generating a RSA private key
....+++++
...................................................+++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taipei
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Test
Common Name (e.g. server FQDN or YOUR name) []:guestwifi.vcs.today
Email Address []:test@test.com.tw
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test123
An optional company name []:test
OpenSSL>
 
WLC Virtual Inferface配置畫面
Note:
Common Name必須與WLC Virtual Interface IP DNS Host Name完全一致,另外修改Virtual Interface IP要重啟才會生效
至於VIP位址設定取決於你的Guest Access的DNS伺服器,對於VIP來說Common Name只要能匹配DNS A Record進行解析,就能正常顯示網頁。
可以善用Windows nslookup功能,加完A Record之後來進行測試,如果能解析到FQDN的話,基本上就沒問題了!
 
5.輸入完OpenSSL資料後,會產生兩個檔案,分別為私鑰及CSR。
 
●mykey.pem  私鑰
●myreq.pem  CSR
 
 
Step 2:Certificate Download from a Third-Party CA
 
將CSR資訊提供給Third-Party CA Server,您應該會收到以下幾張憑證。
Root certificate.pem
Intermediate certificate.pem
Device certificate.pem
 
Note:
有些Third-Party CA Server只會產出兩個憑證(比如GODADDY),分別產出Device Certificate及Bundle Certificate.
Bundle Certificate包含Root和Intermediate Certificate
 
Step 3:Certificate Chaining
 
1.將這三個憑證內容複製到新的文字檔,另存成All-cers.pem
 
------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------
 
2.打開OpenSSL輸入以下指令,透過All-cers.pem及mykey.pem來產生final.pem
OpenSSL> pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123
OpenSSL> pkcs12 -in All-certs.p12 -out final.pem -passin pass:check123 -passout pass:check123
 
Note:
以上指令必須輸入-passin及-passout密碼,此範例-passin及-passout皆設定check123,憑證上傳至WLC的密碼依據-passout的密碼
 
Step 4:Downloading Third-Party Certificate to the WLC
將憑證匯入WLC有兩種方式,分別為GUI及CLI操作,以下範例兩種方式皆有列出,請參考以下
 
Option 1:GUI
1.將final.pem放至TFTP目錄下,後續透過TFTP服務將憑證匯入WLC
2.打開WLC GUI,點選SECURITY->Web Auth->Certificate
3.勾選Download SSL Certificate
4.輸入TFTP資訊及憑證檔名(範例為final.pem)、輸入憑證密碼(範例為check123)
5.確認資料無誤,點選Apply
6.將憑證完成上傳,須將設備才會生效,點選COMMANDS->Reboot
7.點選Save and Reboot,確認OK後進行重啟
 
Option 2:CLI
1.將final.pem放至TFTP目錄下,後續透過TFTP服務將憑證匯入WLC
2.輸入以下指令,設定上傳資訊
(Cisco Controller) > transfer download mode tftp
(Cisco Controller) > transfer download datatype webauthcert
(Cisco Controller) > transfer download serverip <TFTP server IP address>
(Cisco Controller) > transfer download path <absolute TFTP server path to the update file>
(Cisco Controller) > transfer download filename final.pem
(Cisco Controller) > transfer download certpassword <password>
3.確認資料無誤,將憑證進行上傳
(Cisco Controller) >transfer download start
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.99.0.9
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... final.pem
This may take some time.
Are you sure you want to start? (y/N) y
TFTP Webauth cert transfer starting.
TFTP receive complete... Installing Certificate.
4.將WLC進行重啟
(Cisco Controller) >reset system
Configuration Not Saved!
Are you sure you would like to reset the system? (y/N) y
System will now restart!
 
Reference:

leo19950830 發表在 痞客邦 留言(0) 人氣()