ACS 4.1 - CA Certificate

Unanswered Question
Sep 20th, 2007
User Badges:

Hi NetPro,

anyone who knows ACS 4.1 - Generate Self-Signed Certificate and Generate Certificate Signing request are only valid for 1 year ? How about 1 year later ? If I re-generate the Certificate will it be affected to my current authenticate users ? Example like user unable to connect PEAP after the certificate expired ?

your reply will be highly appreciated.

thanks .



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.brazier@... Fri, 09/21/2007 - 06:53
User Badges:
  • Bronze, 100 points or more

Interesting question. I would say a connected user would be OK until they next reauthenticate at which point it will fail. If you generate a new self signed cert you will also have to install the matching root cert on all your clients = major hassle.

A better idea is to buy a cert with a long nough lifetime to last the lifetime of your solution. I always use for my certs, a 5 year cert is about $300 and the root cert is already built into Windows, MACs, etc so no need to touch the clients.

Jagdeep Gambhir Sun, 09/23/2007 - 19:50
User Badges:
  • Red, 2250 points or more

When you use a self sign certificate, you will always get a validation period of one year. This is a non-configurable setting and a limitation of using Self-Signed certificates.

It takes not more then 2/3 mins to install self sign cert again, so during that phase users will not be able to authenticate.



rmarg Sun, 09/23/2007 - 19:53
User Badges:
  • Cisco Employee,

Leveraging ACS's built in certificate authority is great for testing and if you have a small group of laptops or handhelds however for larger installs that leverage AD for authentication you are better off using Windows 2000 or Windows 2003 certificate authority functionality otherwise you will have to regenerate the certificate and then install this new certificate into the certificate root store of each of machine that does PEAP authentication.

Follow this document if you have any questions about installing or configuring MS-PEAP with ACS 4.0 and Windows 2003 Directory Services.

I wrote the procedures if you have any questions.

ney25 Mon, 09/24/2007 - 05:30
User Badges:


thanks for replied, but i feel something is not right, for instance although my ACS 4.1 has expiry date but, for my client profile i didnt choose any CA server for authenticate. which mean my client didnt use phase 2 security which using certificate for authenticate. so, does it will face to authentication problem after 1 year ?

thanks a lot.



rmarg Mon, 09/24/2007 - 05:41
User Badges:
  • Cisco Employee,

Got it. Let me force expiration on my ACS server but my gut feeling is that because you do not validate the CA on the client you will just need to regenerate the certificate and you will be good to go. However for best practices I would recommend you leverage the CA certificate and check that box otherwise your information is being sent unencrypted (unless you have a vpn session after connecting).

ney25 Mon, 09/24/2007 - 15:55
User Badges:

Hi rmarg,

woww, the topic is getting interesting now. ok . i got it what u mean but i have implement WPA2 in my AP and for client profile i did choose the WPA2-Enterprise. so, does this consider unencrypted as well ?




This Discussion