ACS self-signed certificates - renewals?

Unanswered Question
May 13th, 2009
User Badges:

We are using the ACS self-signed certs - good for 1 year. We are using PEAP and when configuring the wireless users, we disable the option to "prompt user to authorize new servers or trusted cert authorities."



Is there a way to renew the cert (or generate a new cert) and not require a physical visit to the computer to redo the wireless setup?


Perhaps a way to generate a new cert that is named the same as the existing cert? Maybe then I could push out the cert via a GPO.


Thanks for any help....our cert will expiring in the month (or so) and we are trying to figure out a game plan that doesn't involve touching every computer.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
George Stefanick Wed, 05/13/2009 - 21:14
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Yes, get a signed certificate from like Entrust or someone else. Funny, i was just working on rolling out a new signed cert this evening.


Are your clients config to check server side certs? just checking how you have it config ...


Your best bet sign cert, go out a few years and dont have to worry about it for a bit ...

mdcole Thu, 05/14/2009 - 05:33
User Badges:

Yes, they are validating the server cert, just not able to authorize new servers or certs. Using Windows wireless config, it's the check box under the list of cert authorities. It says "Do not prompt user to authorize new servers or trusted certification authorities." and we have that box checked - so the users can't accidentially authorize a rogue server (man in middle or impersonation attacks).


They recently switched from LEAP to PEAP and since they were already using ACS, they wanted to continue using it.


We had looked at purchasing a 3rd party cert from Verisign (or other), but at the time they weren't sure what they wanted to do or if they wanted to spend the money and commit to a longer term (3 year) cert.


Now that they know they can get a free cert from the ACS server, they are less inclined to go buy a cert. They also don't have a MS cert server setup, or else they could just create their own.


Apparently somebody from Cisco told them that they could just renew the existing cert and as long as it was named the same it would be fine, or that the users may get prompted to accept the new cert.


Well, with that option disabled in the wireless config, I don't think the users will get the prompt or the option to accept the updated cert.

Robert.N.Barrett_2 Thu, 05/14/2009 - 00:23
User Badges:
  • Bronze, 100 points or more

If you are disabling the option to authorize the server, then are your clients even validating the cert? If the clients are not validating the cert, then why worry about the cert expiration?


mdcole Thu, 05/14/2009 - 05:37
User Badges:

Yes, they are validating the cert.


Using windows config, in the PEAP properties window there are several options - The first is to validate the server cert. That option is checked.


Under trusted root cert authorities, the server is listed and checked.


Under that is the option to "Do not prompt user to authorize new servers or trusted certification authorities." That option is checked - apparently to minimize the risk that the user could be subjected to a man-in-the-middle attack or a rogue AP impersonating the true network.

Robert.N.Barrett_2 Thu, 05/14/2009 - 06:56
User Badges:
  • Bronze, 100 points or more

Seems like you could also use OpenSSL to create a "self-signed" cert, and you could probably specify a much longer timeframe.


If you go the ACS-generated self-cert route, seems like you'll have to touch all the wireless clients each year. You might want to check out how to push the new cert to the clients (so they automagically trust it) via GPO. Since you are using AD and WZC, I highly recommend using a GPO to control your wireless settings. You can kill support for Ad-Hoc networks and force your "corporate" profile to always be the highest priority. You can also force the config of your corporate profile with GPO. It's really nice.


mdcole Thu, 05/14/2009 - 07:08
User Badges:

I'm actually running a similar setup on another network. Basically used the George Ou TechRepublic guide for PEAP - self signed certs from the IIS 6 resource kit, pushing out the cert and settings via GPO, and authenticating to win 2k3 server using IAS.


For some reason this network doesn't want to go that route. I guess they are comfortable with ACS and don't want to have to learn something new.


I'll have to look into OpenSSL. I looked at using an IIS 6 generated cert, but ACS doesn't support import of that cert - don't remember if it's because it isn't a recognized authority, or if the format of the cert was not compatible. Either way, ACS wouldn't allow me to import it.


I cautioned them about the 1 year expiration date - this is the 2nd time they've had to do it, but last year was easier as they were doing a relocation and roll-out and already had to touch every computer.


I will try to convince them to look at using a GPO for the cert and settings, or at least purchase a longer cert from a 3rd party.


I take it that I'm correct about the settings prohibiting the ability to renew the cert in ACS and have it work?


Without the users being able to get prompted and authorize the new cert they will just stop working after the current cert expires, and the new cert will need to be installed and the wireless settings will have to be changed?

George Stefanick Thu, 05/14/2009 - 20:52
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

I would leverage a 3rd party cert, set it for 3 - 4 years and be done with it... The time you spent on this just paid for the cert! lol


good luck

mdcole Tue, 05/19/2009 - 08:52
User Badges:

Thanks, they are interested in looking at the 3rd party route.


Can anybody tell me the requirements for the 3rd party cert? I believe they use Verisign for their certs, but they are asking which option they should use.


Also, does anybody know the usual cost and turn around for ordering this? I figured it may be quick, but I've seen that they may take a while to process - is it hours, days, weeks?



Erick Delgado Wed, 06/03/2009 - 13:45
User Badges:
  • Bronze, 100 points or more

Hi,


The kind of certificate it is a regular server certificate.


You could you a windows 2003 as a CA that is a lot cheaper to get one of those and you can make the certificate for as many years do you want.


Please see link below that explains how certificates needs to be request and how to use windows 2003 as a CA.


http://tinyurl.com/9hq4r



If you decide to use another CA you will need the following instructions


Step 1: Create a Certificate Signing Request


Complete these steps:


1.


Choose System Configuration > ACS Certificate Setup > Generate Certificate Signing Request.

2.


Enter a name in the Certificate subject field with the cn=name format.

3.


Enter a name for the private key file.


Note: The path to the private key is cached in this field. If you press submit a second time after the CSR is created, the private key is overwritten and does not match the original CSR. This result in a private key does not match error message when you attempt to install the server certificate.

4.


Enter the private key password and confirm it.

5.


Choose a key length of 1024.


Note: While Cisco Secure ACS can generate key sizes greater than 1024, the use of a key larger than 1024 does not work with PEAP. Authentication might appear to pass in Cisco Secure ACS, but the client hangs while authentication is attempted.

6.


Click Submit

7.


Copy the CSR output on the right-hand side for submittal to the CA.


Once this has been created you send it to the CA and they know what to do.


If you need any assistance let me know.


Actions

This Discussion

 

 

Trending Topics - Security & Network