****NAC Certificate Problems***

Unanswered Question
Mar 2nd, 2009
User Badges:

There is a default Perfigo root CA certificate that comes with the installation of NAC, I have now purchased a valid Verisign CA cert, when i import the root CA into trusted CA's its accepted, however when generate a cert request and get it back from the CA and i try import the NAS/NAM approved web server cert i get a error, cannot validate cert. I then try to delete the Perfigo default cert and it will not, it reports that it is in use??? Any ideas how to delete the perfigo temp certificate????

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gabrielbryson Wed, 03/04/2009 - 01:19
User Badges:

I thought i saved a copy of the error, but did not, I dont have access to the appliances at the mo to recreate the error.

I am not installing the same cert on the NAM and NAS, i have purchased a separate cert for each.

I think my biggest problem is that it will not let me delete the perfigo cert.

One thing I noticed is that in the online guide, in the list of root certs there are plenty of entries, on my (v4.5) there is only the perfigo ca?? is that correct.

srue Wed, 03/04/2009 - 06:32
User Badges:
  • Blue, 1500 points or more

generate a temp cert locally on the appliance using all of the correct information - if using HA, use the shared/service IP.

Export the CSR (cert signing request). Use this to request the cert for verisign.

Import the 3rd party cert back into each appropriate appliance.

Make sure you click the "install and verify" newly uploaded certs button if necessary.

Uploading a new/correct cert should overwrite the perfigo self-generated cert, but not the perfigo root.

If you are using self-gen certs on any appliance, i would recommend not removing the perfigo root cert.

srue Wed, 03/04/2009 - 06:33
User Badges:
  • Blue, 1500 points or more

btw, you will need to manually upload/install the verisign root cert to each appliance.

gabrielbryson Wed, 03/04/2009 - 06:39
User Badges:

Thanks, I have done all of that? If i can racall the error message, when i try install the approved web server cert, is relating to verification, (version4.5) does not have the verification button anymore? Would it be possible that the NAM and NAS have to have internet access to verify root CA???

Daniel Laden Wed, 03/04/2009 - 20:31
User Badges:
  • Cisco Employee,

The NAC Server do not contact anyone to validate the certificate. Did you load the root certificate before the CA-signed certificate.

Starting with 4.5, perfigo is the only install CA root. If it has been an upgrade to 4.5, all the legacy CA roots would be listed as well.

gabrielbryson Fri, 03/06/2009 - 01:52
User Badges:

Yes I did install the root CA cert first, I will have access to the appliances again tomorrow, and will try the process again from scratch...



This Discussion