- Identify the brokers that you want to connect to
Cisco pxGrid . - Log on to the ISE web user interface as an Administrator and navigate to Administration, pxGrid Services, Certificates.
- In the "I want to" drop-down list, select Generate a single certificate (without a certificate signing request).
- Type the common name and certificate passwords.
IMPORTANT: Use the same certificate passwords when you configurepxGrid in DXL (Server Settings, DXL Cisco pxGrid Settings). - In the "Certificate Download Format" field, select Certificate in Privacy Enhanced Electronic Mail (PEM) format and click Create.
- Copy the downloaded .zip file into the broker in this folder:
/var/mcafee/dxlbroker/ipe/cisco/keystore
NOTE: An SCP or SFTP tool is needed to copy the.zip file to the DXL broker. - Repeat the previous steps for each broker that you want to connect to
pxGrid . - In the "I want to" drop-down list, select Download root certificate chain and choose all hosts names.
- In the "Certificate Download Format field," select Certificate in Privacy Enhanced Electronic Mail (PEM) format and click Create.
- Copy the downloaded
.zip file into the broker in this folder:
/var/mcafee/dxlbroker/ipe/cisco/truststore
Repeat for each broker that connects to pxGrid.
NOTE: An SCP or SFTP tool is needed to copy the.zip file to the DXL broker.
- Using ISE 2.2 Internal CA (CA) to Deploy Cisco pxGrid clients (not using external CA): https://communities.cisco.com/docs/DOC-71928
- Deploying pxGrid in ISE Productional Environments (version 2.0) section Deploying pxGrid using ISE 2.2+ (using external CA): https://communities.cisco.com/docs/DOC-68284
Cisco ISE version 2.1:
- Identify the brokers that you want to connect to
Cisco pxGrid . - Log on to the ISE web user interface as an Administrator and navigate to the Certificate Provisioning Portal, Device Portal Management, Certificate Provisioning.
- Navigate to the Certificate Provisioning Portal Default, and select the Portal Test URL.
- Provide the requested credentials and click Sign On.
- In the "I want to" drop-down list, select Generate a single certificate (without a certificate signing request).
- Provide the Common Name (CN).
NOTE: The CN must be a resolvable fully qualified domain name (FQDN) of a broker system.
- Provide the MAC address and certificate passwords.
IMPORTANT: You must use the same certificate passwords when you configurepxGrid in DXL (Server Settings, DXL Cisco pxGrid Settings).
- In the "Certificate Download Format field," select Certificate in PEM format and click Generate.
- Extract the contents of the downloaded
.zip file to a temporary folder. - Copy all individual files from the temporary folder into the broker in the following folder:
/var/mcafee/dxlbroker/ipe/cisco/keystore
NOTE: An SCP or SFTP tool is needed to copy the.zip file to the DXL broker.
- Copy only the
CertificateServicesRootCA-xxx.cer file and the external root certificate file, caroot.cer , from the temporary folder into the broker in the following folder:
/var/mcafee/dxlbroker/ipe/cisco/truststore
NOTE: An SCP or SFTP tool is needed to copy the.zip file to the DXL broker.
- Repeat steps 5–11 for each broker you want to connect to
pxGrid .
- Using ISE 2.1 Internal CA (CA) to Deploy Cisco pxGrid clients (not using external CA): https://communities.cisco.com/docs/DOC-71927
- Deploying pxGrid in ISE Productional Environments (version 2.0) section Deploying pxGrid using ISE 2.1 with Internal CA and External CA certificates for ISE nodes: https://communities.cisco.com/docs/DOC-68284
Cisco ISE version 2.0:
- Identify the brokers that you want to connect to
Cisco pxGrid . - Download and install OpenSSL for Windows from the following location, and select the Win32 OpenSSL Light (for 32-bit) or Win64 OpenSSL Light (for 64-bit) package:
http://www.slproweb.com/products/Win32OpenSSL.html
If the message "Critical component is missing: Microsoft Visual C++ 2008 Redistributables" displays, cancel the setup and download one of the following packages (based on your architecture):
Visual C++ 2008 Redistributables (x86), available at:
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
Visual C++ 2008 Redistributables (x64), available at:
http://www.microsoft.com/downloads/details.aspx?familyid=bd2a6171-e2d6-4230-b809-9a8d7548c1b6 - Open a command prompt (Start, Run
, cmd.exe ), and set the following OpenSSL environment variables. Adjust the OpenSSL path based on your install location:
C:\>set OPENSSL_BIN=c:\OpenSSL-Win32\bin
C:\>set PATH=%OPENSSL_BIN%;%PATH%
C:\>set OPENSSL_CONF=%OPENSSL_BIN%\openssl.cfg - Create and change to the directory for output files:
C:\>mkdir c:\certificates
C:\>cd c:\certificates - Create a private key and set a password for it. Make sure that the same password is set in McAfee ePO Server Settings, DXL Cisco pxGrid Settings page.
IMPORTANT: Use the same certificate passwords when you configurepxGrid in DXL (Server Settings, DXL Cisco pxGrid Settings).
C:\certificates>openssl genrsa -aes256 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................+++
..............+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key: - Convert the key to PCKS8 type:
C:\certificates>openssl pkcs8 -in tmp.key -topk8 -out pxgrid_client.key -v1 PBE-SHA1-3DES
Provide the same password as before and make sure that the Encryption Password is set with the same value:
Enter pass phrase for tmp.key:
Enter Encryption Password:
Verifying - Enter Encryption Password: - Generate the certificate signing request from that key.
C:\certificates>openssl req -out pxgrid_client.csr -key pxgrid_client.key -new
Type the needed information. Make sure that a unique value is provided for "Common Name." For example, the DXL broker’s host name:
Enter pass phrase for pxgrid_client.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:DXLBroker1.dxl.lab
Email Address []:.
Type the following 'extra' attributes to be sent with your certificate request:
A challenge password []:
An optional company name []: - Sign the certificate, and import the CA in the Cisco ISE:
- Option 1: Use an external CA to sign the certificate:
- Provide the CSR file to the CA vendor and get back the signed
pxgrid_client.cer .
NOTE: The CA server using a customized template must sign the CSR request. This customized template must contain an EKU of both client authentication and server authentication.
As a reference, see Deploying Certificates with Cisco pxGrid-Using an external Certificate Authority (CA) with updates to Cisco ISE 2.0/2.1/2.2 in section Using an External Certificate CA Server Customized Template (https://communities.cisco.com/docs/DOC-71926). - Copy
pxgrid_client.key andpxgrid_client.cer into the broker in this folder:
/var/mcafee/dxlbroker/ipe/cisco/keystore
NOTE: An SCP or SFTP tool is needed to copy the.zip file to the DXL broker. - Break down the certificate chain of the CA into separate PEM files and copy those files into broker under folder
/var/mcafee/dxlbroker/ipe/cisco/keystore (the root CA certificate). These files have the extension.cer .
NOTE: An SCP or SFTP tool is needed to copy the .zip file to the DXL broker. - Log on to the ISE web user interface as an Administrator and navigate to Administration, System, Certificates, Certificate Management, Trusted Certificates.
- Click Import and select the CA certificate files you created in step 8c.
Use the default values and import for each file.
- Provide the CSR file to the CA vendor and get back the signed
- Option 2: Use a self-signed CA:
- Create CA certificate and key with the following command:
c:\certificates>openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.cer
Type the needed information. Make sure "Common Name" is unique, and is set to the FQDN of the DXL broker:
Generating a 2048 bit RSA private key .............................................................................+++
....................+++
writing new private key to 'ca.key'
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:DXLpxGridClientsCA
Email Address []:. - Sign the CSR with the following command:
c:\certificates>openssl x509 -req -in pxgrid_client.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out pxgrid_client.cer -days 365
Type the password for CA key and complete signing the certificate:
Signature ok
subject=/CN=DXLBroker1.dxl.lab
Getting CA Private Key
Enter pass phrase for ca.key: - Copy
pxgrid_client.cer, pxgrid_client.key, andca.cer to the broker in the folder:
/var/mcafee/dxlbroker/ipe/cisco/keystore
NOTE: An SCP or SFTP tool is needed to copy the.zip file to the DXL broker. - Log on to the ISE web user interface as an Administrator and navigate to Administration, System, Certificates, Certificate Management, Trusted Certificates.
- Click Import and select the
c:\certificates\ca.cer file. Use the default values and import.
- Create CA certificate and key with the following command:
- Option 1: Use an external CA to sign the certificate:
- Repeat steps 5–8 for each broker that connects to
pxGrid .
If you use a self-signed CA, you can reuse the same CA for signing certificate requests, but you must generate separate certificates for each broker. - In the ISE web user interface, navigate to Administration, System, Certificates, Certificate Management, System Certificates.
- Select the certificate entry that is "used by"
pxGrid . Make a note of the "Issued by" value, and click Export. - Select Export certificate only and click Export.
- For each DXL broker that connects to
pxGrid , copy the downloaded file onto the broker in the folder:
/var/mcafee/dxlbroker/ipe/cisco/truststore
NOTE: An SCP or SFTP tool is needed to copy the .zip file to the DXL broker. - In the ISE web user interface, navigate to Administration, System, Certificates, Certificate Management, Trusted Certificates.
- Select the entry where "Issued to" is same as the "Issued by" value in step 11 and click Export.
- For each DXL broker that connects to pxGrid, copy the downloaded file to the DXL broker in the folder:
/var/mcafee/dxlbroker/ipe/cisco/truststore
NOTE: An SCP or SFTP tool is needed to copy the.zip file to the DXL broker.
- Deploying Certificates with Cisco pxGrid- Using Self-Signed Certificates Updates to Cisco ISE 2.0/2.1/2.2: https://communities.cisco.com/docs/DOC-71925
Back to Top
