Requesting a new certificate from 3rd Party CA with Internal PKI

Hello,
We need to renew/request a certificate for our Radius server however whenever I try to renew the current Go Daddy cert it gives me the error: The Request contains no certificate template information. We do have an internal PKI which is probably the issue. How can I renew this certificate without going through the Internal CA server? The certificate is being used on a Radius server that is also a DC.

Thank you.
Damon RodriguezDirector of Business TechnologyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Why do you need an external certificate when you have an internal CA? Are your radius servers queried by external resources? Create a CSR without auto submitting it to your CA.certutil could be used, though you need to make sure the functional attributes are in the CSR.

You can load your CAs public cert into the devices as a trusted root....
gheistCommented:
Radius server is unlikely to be reached by public. Even that is the case ones accessing it will not care if SSL is valid. You can sign it with your own CA
btanExec ConsultantCommented:
May be related if your PKI which the DC and also Radius is assuming an standalone CA. https://support.microsoft.com/en-us/kb/910249

An alternative method to request certificates from an enterprise CA instead can be considered. But suggest checking out the MMC approach for the Radius (likely NPS) CSR steps https://documentation.meraki.com/zGeneral_Administration/Non-Meraki_Configuration/Creating_an_offline_certificate_request_in_Windows_Server

GoDaddy has renewal step but only for domain hosted with them so can only go for cert req submission https://support.godaddy.com/help/article/864/renewing-your-ssl-certificate
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Damon RodriguezDirector of Business TechnologyAuthor Commented:
The reason we use a 3rd party is that the Cisco WLAN controller was not accepting it for some reason. We couldn't renew it and I tried to generate a new CSR using the same name and wouldn't work. We found out that 3rd party SSL suppliers will no longer generate certificates for internal server names. We had to create a new FQDN to apply the cert.

Here is a link i was sent that describes the new standard:
https://www.digicert.com/internal-names.htm
arnoldCommented:
Your router might be different, but the following Cisco link might address your question.

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/70341-manual-add-ssc.html

Often certificate renewal through the issuer is not always possible given the certificate will use the same key as the original CSR.

I believe the above discusses how to add a CA public key and mark it as trusted at which point any other certificate issued by said CA will be trusted by the device including the .....


You have to generate a CSR on the device and then submit it to the issuer to be signed.
gheistCommented:
Greedy CAs once discovered 100 certificates for exchange.local and another thousand for 192.168.0.1 so they decided to hide their greedy hands and stop certifying private IPs and names.
btanExec ConsultantCommented:
indeed .local or .internal is not supported as the "mandated ruling" goes in the past and some resolve into self signed instead to generate as from the box. You need a CA cert trusted in the box and having that CA in trust root certstore, it should be able to recognise the imported cert issued by that trusted CA.

Hence either
•Use the self-signed SSL certificate on the WLC and configure the client stations to accept the certificate.
•Generate a CSR and install a certificate that is signed by a source (a third-party CA) for which the clients already have the trusted root certificates installed. You can do this off line from the WLC with the use of a program like OpenSSL, see this
The most important information that you need to provide correctly is the Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the WLC and that the name actually exists in the DNS as well.

The DNS host name must be entered in the WLC under Interfaces > Edit for the virtual interface. This is used to verify the source of certificates when Web Auth is enabled. Reboot the controller to have this change take effect.
and also note the chained cert and version supported
Support for Chained Certificate

In controller versions earlier than Version 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates). With controller Version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.

Certificate Levels
•Level 0 - Use of only a server certificate on the WLC
•Level 1 - Use of a server certificate on the WLC and a CA root certificate
•Level 2 - Use of a server certificate on the WLC, one single CA intermediate certificate, and a CA root certificate
•Level 3 - Use of a server certificate on the WLC, two CA intermediate certificates, and a CA root certificate

The WLC does not support chained certificates more than 10KB in size on the WLC. However, this restriction has been removed in WLC Version 7.0.230.0 and later.
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Damon RodriguezDirector of Business TechnologyAuthor Commented:
The other part to this is that we are forced to baby the user population to extremes and any change like this that requires them to press 'Verify certificate' and move on with their lives is labeled as 'disruptive' to their workflow. This only really affects IOS devices as Android usually ignores this and Windows has the intermediate and root certs installed as part of normal patching.

Thanks again for the feedback.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.