Cisco ACS-Certificate History
CERTIFICATE HISTORY IN ACS
please note that the ACS will always send back the whole certificate chain.
The procedure for CA certificate install on ACS is documented here:
https://supportforums.cisco.com/servlet/JiveServlet/previewBody/13545-102-1-30993/IBNS%20Phased%20Implementation%20Configuration%20Guide.pdf
The procedure for CA certificate install on ISE is documented here from page 13 onwards:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The certificate errors occur when the client is not having the CA certificate in the client trusted certificate store.
For example with windows (same will apply to Android as well, but you can search the details on the Android forums via Google search, since this is client side issue):
If the ACS certificate is signed by an external CA server like verisign, then the windows client PC by default should have this CA server in the list, and you can select/check mark the CA server in the Trusted Root Certification authorities list on the windows client PC.
If the certificate issued to ACS is from unknown CA server which is not on client side, you can then export the CA server certificate by running the following command on your CA server:
certutil -ca.cert c:\temp\domain-SERVERNAME-CA.cer
On the Windows 7 client for example, you can use the Certificates MMC snap-in to import it into the user's Trusted Root CA Certificate Store
(run MMC.EXE, File -> Add/Remove Snap-in -> Certificates -> My User Account -> Trusted Root Certification Authorities -> Certificates -> right-click -> All Tasks -> Import).
On your Win 7 client PC, from the network properties settings, if you go to security tab, and click on the "settings" option next to Protected EAP (PEAP).
Under Trusted Root Certification authorities, you should then see and check mark your ACS local-certificate in the list.
Also refer to microsoft article:
http://support.microsoft.com/kb/2518158
For third party certs, you can export the certificate of the CA that issued the certificate to the authentication server to a file. Copy the file to the workgroup machine and then run the following command from an elevated Command Prompt:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
-----------------------------------------------------------------------------------------------------------------------------
1.go to localserver cert>create CSR with
Field Field Name Min. Length Max. Length Required?
CN commonName 1 64 Yes
OU organizationalUnitName — — No
O organizationName — — No
S stateOrProvinceName — — No
C countryName 2 2 No
E emailAddress 0 40 No
L localityName — — No
2.bind this ce
please note that the ACS will always send back the whole certificate chain.
The procedure for CA certificate install on ACS is documented here:
https://supportforums.cisco.com/servlet/JiveServlet/previewBody/13545-102-1-30993/IBNS%20Phased%20Implementation%20Configuration%20Guide.pdf
The procedure for CA certificate install on ISE is documented here from page 13 onwards:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The certificate errors occur when the client is not having the CA certificate in the client trusted certificate store.
For example with windows (same will apply to Android as well, but you can search the details on the Android forums via Google search, since this is client side issue):
If the ACS certificate is signed by an external CA server like verisign, then the windows client PC by default should have this CA server in the list, and you can select/check mark the CA server in the Trusted Root Certification authorities list on the windows client PC.
If the certificate issued to ACS is from unknown CA server which is not on client side, you can then export the CA server certificate by running the following command on your CA server:
certutil -ca.cert c:\temp\domain-SERVERNAME-CA.cer
On the Windows 7 client for example, you can use the Certificates MMC snap-in to import it into the user's Trusted Root CA Certificate Store
(run MMC.EXE, File -> Add/Remove Snap-in -> Certificates -> My User Account -> Trusted Root Certification Authorities -> Certificates -> right-click -> All Tasks -> Import).
On your Win 7 client PC, from the network properties settings, if you go to security tab, and click on the "settings" option next to Protected EAP (PEAP).
Under Trusted Root Certification authorities, you should then see and check mark your ACS local-certificate in the list.
Also refer to microsoft article:
http://support.microsoft.com/kb/2518158
For third party certs, you can export the certificate of the CA that issued the certificate to the authentication server to a file. Copy the file to the workgroup machine and then run the following command from an elevated Command Prompt:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
-----------------------------------------------------------------------------------------------------------------------------
1.go to localserver cert>create CSR with
Field Field Name Min. Length Max. Length Required?
CN commonName 1 64 Yes
OU organizationalUnitName — — No
O organizationName — — No
S stateOrProvinceName — — No
C countryName 2 2 No
E emailAddress 0 40 No
L localityName — — No
2.bind this ce
0 Response to "Cisco ACS-Certificate History"
Post a Comment