NAC Certicates - Windows 2003 CA

Unanswered Question
Jun 16th, 2009

Hi,

Can anyone tell me if/how to generate/install a Certificate from our internal windows based certificate authority.

We have redundant CAM and CAS and need to deploy to a production environment but the only certificate is the default perfigo that the appliances come with.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Tue, 06/16/2009 - 11:51

you really should read the documentation guides for this info. the nac appliances are very sensitive to the order in which certificates are installed in the larger process of a nac deployment.

here's what i usually do though:

1. create self-generated certs (which also creates a CSR) using the information you want to be put into the final cert (same hostname, IP, etc etc)

(since you're using HA, be sure to create a CSR based on the SHARED IP or hostname)

2. export CSR and private key from one CAM and one CAS

3. use CSR to request cert from 3rd party cert vendor

4. import requested cert into both CAMs and CASs, and import the private key to the other CAS/CAM whose CSR was not used to request 3rd party cert

5. import root cert of 3rd party cert vendor into all appliances

...from here, you can configure HA and add the CAS to the CAM in the orders outlined in the config guides. READ IT VERY CAREFULLY.

anyone else have anything to add? its been awhile so i might be leaving a step or two out.

http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html

r.robins Wed, 06/17/2009 - 00:51

Sorry, I may have been a lttle vague.

Our internal CA server has a root cert from verisign, what we want to do is create a cert for the NAC appliances on our own CA.

Is this possible, if so how ?

srue Wed, 06/17/2009 - 04:53

you can still use youur internal CA to issue certs, but in CA terms, unless you paid for the correct cert, your internal CA server is not a 'subordinate' CA for verisign. but as long as all your pc's going through nac have the domain root cert installed, it should avoid the SSL Cert warning you would otherwise get.

Actions

This Discussion