Reset Search



How To Generate A Certificate Signing Request (CSR) On A NAC Appliance

« Go Back


TitleHow To Generate A Certificate Signing Request (CSR) On A NAC Appliance
  • Create a CSR for NAC's Captive Portal
  • Create a CSR for NAC's RADIUS Server
  • Create a CSR For NAC's Internal Communication's Server
  • All NAC platforms
  • Captive Portal
  • 802.1x
  • SSL Certificates
  • NAC Internal Communications
The steps outlined in this document are also available in the "How to Update Extreme Access Control Engine Server Certificates" section of the NAC manager user guide found on the portal, or the in software help menus.

See also:
Additional notes

Generating a Server Private Key and Server Certificate

If you do not have a server private key and server certificate to use as a replacement, you can generate them using the instructions in the sections below. You will need to:

  1. Generate a server private key. It is recommended that you use OpenSSL to generate an RSA key.
  2. Create a Certificate Signing Request.
  3. Submit the request to a Certificate Authority or generate a self-signed certificate.
  4. Verify the contents of the server certificate.

You can use the following steps regardless of whether you are using a commercial certificate authority or an in-house certificate authority.

Generate a Server Private Key

Use the following steps to generate an encrypted RSA private key.

  1. Enter the following command to use OpenSSL to generate a password-encrypted PKCS #8 formatted server private key file. Use the key size and output file name you prefer. (If you are unsure of the key size, use 2048.)
         openssl genrsa <key size> | openssl pkcs8 -topk8 -out <output file>

    For example:
         openssl genrsa 2048 | openssl pkcs8 -topk8 -out server.key
  2. You will be prompted for an Encryption Password. Be sure to make a note of the password that you enter. If the password is lost, you will need to generate a new server private key and a new server certificate.

Create a Certificate Signing Request

Use the following steps to create a Certificate Signing Request (CSR).

  1. Enter the following command to generate a CSR file. Use the output file name you used in step 1 above as the input file, and specify the output file name you prefer:
         openssl req -new -key <input file> -out <output file>

    For example:
         openssl req -new -key server.key -out server.csr
  2. You will be prompted for information that will appear in the certificate. When you are prompted for a Common Name, specify the fully qualified host name of the NAC appliance. For example:
         Common Name (eg, YOUR name) []

If you are creating a client and/or server certificate CSR request for use with PEAP or EAP-TLS, you may need to add an extension to the command used to generate the CSR file. Server and client certificates require an extension in order to operate as intended. Verify with your certificate vendor whether they require that the extensions are part of the CSR or are included in the certificate when the request is made. The following are command examples of the CSR request that include each of the extension options available.

  • If the CSR is for the NAC appliance, the command must include:
    openssl req -new -reqexts server_auth -key <input file> -out <output file>
  • If the CSR is for a client, the command must include:
    openssl req -new -reqexts client_auth -key <input file> -out <output file>
  • If the CSR is for both the NAC appliance and client, the command must include:
    openssl req -new -reqexts server_and_client_auth -key <input file> -out <output file>

Submit the Request to a Certificate Authority

The procedure for submitting a CSR to a Certificate Authority (CA) varies with the service used. Usually, it is done through a website using a commercial service such as VeriSign. You can also use an in-house CA, which generates certificates used internally by your enterprise. You will provide information including the contents of the CSR, and receive back one or more files containing the server certificate and possibly other certificates to be used in a chain.

To install on Extreme Management Center please see
How to update a certificate on a Access Control appliance (NAC) with Extreme Management Center (XMC)



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255