Skip to main content

How to hack the certificate for a Cisco Identity Services Engine node


I just got back from a few weeks traveling around Europe, presenting at Cisco Live Europe, and meeting with customers and partners. It is obvious that this blog is very much needed for a lot of the deployments that we discussed, so as promised in the Load Balancing Blog, I am following up with a blog on how to "hack" the certificate for a Cisco Identity Services Engine (ISE) node, so that we may include entries in the Subject Alternative Name (SAN) field.
Why do we need to do this? 
There will be plenty of occasions in which you’ll want to reach ISE with a DNS name that is not the exact same as its hostname. If you’ve ever tried to reach an https:// website by IP address, you most likely have experienced the web browser arguing that the certificate name is mismatched and that the browser requires you to accept the warning in order to proceed. An example is shown below.
Cisco ISE has a few different portals that you may connect to:
  • Sponsor Portal: https://ISE:8443/sponsorportal/. This portal is for employees of your company to login and create guest accounts. Obviously, telling an employee to connect to this URL will be very tedious, and a friendlier name will be needed.
  • MyDevices Portal: https://ISE:8443/mydevices/. This portal is for employees of your company to login and manage the personal devices they are allowed to register for network access. Obviously, telling an employee to connect to this URL will be very tedious, so again, a friendlier name will be needed.
So, ISE can use HTTP host-headers to use friendly names, and redirect traffic destined to that friendly name to the correct URL/port. This is set under Administration/Web Portal Management/Settings/General/Ports.
If you were to use "hotspot.CompanyX.com," it would not match what was in ISE’s certificate for the web portals. The certificate will only match the actual hostname (such as: atw-cp-ise04.cisco.com). This results in a certificate mismatch error, and the user experience will be less than desirable.
How do I fix this?
Standard X.509 certificates provide fields to allow a certificate to match more than one URL. This is known as the Subject Alternative Name field. This certificate field may be populated with other DNS names, other IP Addresses, and more.
Using the Subject Alternative Name field will prevent the certificate errors. However, Cisco ISE does not provide the ability to populate these fields when generating a Certificate Signing Request (CSR) to be sent to the Certificate Authority for signing.
What is the “Hack”?
While the ISE user interface may not provide the ability to populate the SAN field with its own Certificate Signing Request (CSR), it is still just an X.509 certificate, which is a standard. Why don’t we just export the public and private certificate from ISE and use OpenSSL to generate the CSR instead?
(Note: We have tried this with MAC-OS, since OpenSSL is built into it, but it did not work for us. We did have success with using OpenSSL on Windows and Linux. I am going to focus on using the Windows implementation of OpenSSL for this blog entry. You can download OpenSSL from here)
Let’s Begin!
Step 1: To begin, you should generate a new self-signed certificate for the ISE node. Set the key length to be your desired key length (2048 for example). 
Afterwards, you can reconnect to ISE and it will use the new certificate. Here I am viewing the new certificate, just to show you some fields. There is no Subject Alternative Name field, and you can see below that the subject is CN=atw-cp-ise01.ise.local (the fqdn of the ISE node). 
Step 2: Export the Public and Private Certificate from ISE. The default format is a .zip file that contains both the public and private keys. In this case: “atwcpise01iselocalatwcpis.zip”
Step 3: Extract the zip file and copy the .pem and .pvk files to the OpenSSL binary directory (C:\Program Files (x86)\GnuWin32\bin). 
Step 4: Create a customized configuration file for OpenSSL Certificate Signing Requests named openssl.cnf. A really nice walk through of the openssl.cnf file can be found here.
Step 5: Now that your openssl.cnf file is ready with your certificate customizations, you will use OpenSSL to create a custom CSR file using the following command:
openssl req -key [PVK_file] -new -out [CSR_filename] –config [your_openssl.cnf_file]
Step 6: Request a new Certificate from the CA. I used a Microsoft CA in this example.
Step 7: Choose an Advanced certificate Request
Step 8: Paste in the contents of the certificate request file generated in Step 5. Ensure the Certificate Template type is "Web Server."
Step 9: Download the certificate in Base 64 (PEM) format. For best results, do not use DER format, and do not use the certificate chain.
Step 10: Under Local Certificates, select Add and then Import Local Server Certificate
Step 11: Import the Original Private key and new CA signed public key into ISE.
  • For Certificate File, choose the new CA signed certificate that you just downloaded from the CA. 
  • For the Private Key File, select the original private key that you exported.
Step 12: Your ISE node will now be using the new CA signed certificate, with the Subject Alternative Names in it.

Comments

Popular posts from this blog

How to Hack a Website in Four Easy Steps

Every wondered how Anonymous and other hacktivists manage to steal the data or crash the servers of websites belonging to some of the world biggest organisations? Thanks to freely available online tools, hacking is no long the  preserve of geeks , so we've decided to show you how easy it is to do, in just four easy steps. Step 1: Identify your target While  Anonymous  and other online hacktivists may choose their targets in order to protest against perceived wrong-doing, for a beginner wanting to get the taste of success with their first hack, the best thing to do is to identify a any website which has a vulnerability. Recently a hacker posted a list of 5,000 websites online which were vulnerable to attack. How did he/she identify these websites? Well, the key to creating a list of websites which are likely to be more open to attack, is to carry out a search for what is called a Google Dork. Google Dorking , also known as Google Hacking, enables yo...

How to Hack Facebook Password in 5 Ways

Check out the following post from  fonelovetz blog  on facebook account hacking. This is one of the most popular questions which I'm asked via my email.And today I'm going to solve this problem one it for all.Even though i have already written a few ways of hacking a facebook password.Looks like i got to tidy up the the stuff here.The first thing i want to tell is.You can not hack or crack a facebook password by a click of a button.That's totally impossible and if you find such tools on the internet then please don't waste your time by looking at them! They are all fake.Ok now let me tell you how to hack a facebook account. I'll be telling you 5 of the basic ways in which a beginner hacker would hack.They are: 1.Social Engineering 2.Keylogging 3.Reverting Password / Password Recovery Through Primary Email 4.Facebook Phishing Page/ Softwares 5.Stealers/RATS/Trojans I'll explain each of these one by one in brief.If you want to know more about them just ...

How to Hack Someone's Cell Phone to Steal Their Pictures

Do you ever wonder how all these celebrities continue to have their private photos spread all over the internet? While celebrities' phones and computers are forever vulnerable to attacks, the common folk must also be wary. No matter how careful you think you were went you sent those "candid" photos to your ex, with a little effort and access to public information, your pictures can be snagged, too. Here's how. Cloud Storage Apple's iCloud service provides a hassle free way to store and transfer photos and other media across multiple devices. While the commercial exemplifies the G-rated community of iPhone users, there are a bunch of non-soccer moms that use their iPhones in a more..."free spirited" mindset. With Photo Stream enabled (requires OS X Lion or later, iOS 5 or later), pictures taken on your iPhone go to directly to your computer and/or tablet, all while being stored in the cloud. If you think the cloud is safe, just ask Gizmodo ...

How to Hack Samsung Phone Screen Lock

I have discovered  another  security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing. Video . Of course, if you are unable to download a screen unlocker, this security vulnerability still allows you to  dial any phone number and run any app ! HOWTO From the lock screen, hit the emergency call button. Dial a non-existent emergency services number - e.g. 0. Press the green dial icon. Dismiss the error message. Press the phone's back button. The app's screen will be briefly displayed. This is just about long enough to interact with the app. Using this, you can run and interact with any app / widget / settings menu. You can also use this to launch the dialler. From there, you can dial any phone...