Self Signed Certificate for CCA (NAC) CAM

Unanswered Question
Sep 20th, 2008

Hi,

I recently upgraded my CCA servers to 4.1.6 and it wants me to replace the temporary cert on the CAM. I have replaced it with a cert I have signed with my CA and uploaded my CA Cert into the CAM and the CAS.

The CAM is happy, and my web browser will verify the cert, however I can't get communication with between the CAM and CAS to work. Anyone had any luck with this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cleidh_mor Sun, 09/21/2008 - 23:44

Hi Peter,

Are your CAS certs signed by the CA too? Is there anything in the CAM log about certificate errors?

Cheers,

Peter Yardley Mon, 09/22/2008 - 20:44

Hi,

Yes I had loaded my CA cert into NAC as a CA Authority but I found another problem, to do with upgrading to 4.1.6, which is probably giving me grief and I'm waiting for the TAC to solve that one before I try again.

nasim_nasri Mon, 10/06/2008 - 21:26

Did you find the solution for it.

I am also looking for it it is really a pain to first produce Certificates from any CA server then do this.

Peter Yardley Thu, 10/16/2008 - 20:41

Got my cert to work after fixing my other problem.

The other problem was a single space after -----End Certificate-----

in the cert I bought for the CAS.

My formulae for creating a self signed cert was

# Create a private key and certificate request # for your own CA:

openssl req -new -newkey rsa:2048 -out ca.csr -keyout ca.key

# Create your CA's self-signed certificate

# Set the days to 3650 so it will last 10 years

openssl x509 -trustout -signkey ca.key -days 3650 -req -in ca.csr -out ca.pem

#edit ca.pem so that the strings

#"TRUSTED CERTIFICATE" read "CERTIFICATE"

# Generate a key for the server Cert

openssl genrsa -out server.key 2048

# Generate a cert signing request for the server

openssl req -new -key server.key -out server.csr

# Sign the request using your CA

# ca.srl contains something like 02

openssl x509 -req -in server.csr -CA ca.pem -days 3650 -CAkey ca.key -CAserial ca.srl -out server.pem

You prolly want to edit your openssl.cnf first and fill in some of the defaults.

Actions

This Discussion