cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
5
Replies

NAC Certicates - Windows 2003 CA

r.robins
Level 1
Level 1

Hi,

Can anyone tell me if/how to generate/install a Certificate from our internal windows based certificate authority.

We have redundant CAM and CAS and need to deploy to a production environment but the only certificate is the default perfigo that the appliances come with.

5 Replies 5

srue
Level 7
Level 7

you really should read the documentation guides for this info. the nac appliances are very sensitive to the order in which certificates are installed in the larger process of a nac deployment.

here's what i usually do though:

1. create self-generated certs (which also creates a CSR) using the information you want to be put into the final cert (same hostname, IP, etc etc)

(since you're using HA, be sure to create a CSR based on the SHARED IP or hostname)

2. export CSR and private key from one CAM and one CAS

3. use CSR to request cert from 3rd party cert vendor

4. import requested cert into both CAMs and CASs, and import the private key to the other CAS/CAM whose CSR was not used to request 3rd party cert

5. import root cert of 3rd party cert vendor into all appliances

...from here, you can configure HA and add the CAS to the CAM in the orders outlined in the config guides. READ IT VERY CAREFULLY.

anyone else have anything to add? its been awhile so i might be leaving a step or two out.

http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html

Sorry, I may have been a lttle vague.

Our internal CA server has a root cert from verisign, what we want to do is create a cert for the NAC appliances on our own CA.

Is this possible, if so how ?

you can still use youur internal CA to issue certs, but in CA terms, unless you paid for the correct cert, your internal CA server is not a 'subordinate' CA for verisign. but as long as all your pc's going through nac have the domain root cert installed, it should avoid the SSL Cert warning you would otherwise get.

Can you tell me how to do this ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: