CA problem with NAC

Answered Question
Dec 15th, 2009
User Badges:

Hello there,

I'm using Internal CA (Microsoft Win 2003 CA) to provide SSL certificates to NAC. The problem is that, end users are still getting warnings on login to the network the same way as when i was using the Perfigo Certificate. I've tried to install the server certificate to clients but still the CA is seems to be untrusted. Does this mean that i have to buy certificates from trusted Authorities like Verisign or still there is something i can do to my CA? Please help.


regards,

Stanslaus.

Correct Answer by Faisal Sehbai about 7 years 3 months ago

Stanslaus,


The second problem will come up if you're trying to access the device in question with a name that is different than what the cert says the name should be. For example if your cas is named cas1.abc.com and you try to access it with the url consisting of the ip address for that CAS, you will see that message. Ensure that the CN you have for the certificate is what you're using to access the CAS and you shouldn't see that problem.


HTH,

Faisal

Correct Answer by Faisal Sehbai about 7 years 4 months ago

Stanslaus,


If you click on that link, does it tell you to download a cert?


If so, take that file to the client and double click on it. It should install in the correct store automatically.


HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Faisal Sehbai Tue, 12/15/2009 - 10:06
User Badges:
  • Gold, 750 points or more

Stanslaus,


You need to take the Root certificate and install that on the clients.


HTH,

Faisal

IT_Data_CorporateNet Tue, 12/15/2009 - 10:27
User Badges:

Hi Faisal,

Thanks for your reply. See the attachment. When on clients i click on "

To trust certificates issued from this certification authority, install this CA certificate.'". I'm not very good on setup PKI. How do i get and install the root certificate. My CA is Standalone Root CA.


Thanks.

Stanslaus.

Correct Answer
Faisal Sehbai Tue, 12/15/2009 - 10:37
User Badges:
  • Gold, 750 points or more

Stanslaus,


If you click on that link, does it tell you to download a cert?


If so, take that file to the client and double click on it. It should install in the correct store automatically.


HTH,

Faisal

IT_Data_CorporateNet Tue, 01/19/2010 - 00:04
User Badges:

Hi Faisal,

Happy new year 2010!!.

I was on leave and had no time to work on this.

Thanks for your assistance. I had two warnings one was that "The Certificate was not from a trusted authority" (Resolved by you last reply) and the other is saying that "The Certificate does not match the site you are viewing". This is still persisting. Please if you know the reason.


regards,

Stanslaus.

Correct Answer
Faisal Sehbai Sat, 01/23/2010 - 20:22
User Badges:
  • Gold, 750 points or more

Stanslaus,


The second problem will come up if you're trying to access the device in question with a name that is different than what the cert says the name should be. For example if your cas is named cas1.abc.com and you try to access it with the url consisting of the ip address for that CAS, you will see that message. Ensure that the CN you have for the certificate is what you're using to access the CAS and you shouldn't see that problem.


HTH,

Faisal

IT_Data_CorporateNet Sun, 01/24/2010 - 09:59
User Badges:

Thanks Faisal,

At the begining i created Certificate requests using FQDN of the appliances as CN. Although i could access the appliances using FQDNs for some reasons CAS was redirecting using IP Address. I've recreated the Certificates using IPs as CNs and now it is working fine. Thank you very much for your support.


regards,

Stanslaus.

rhobab Mon, 02/22/2010 - 08:41
User Badges:

Hello. Could you help on how you managed to get the Microsoft CA to issue

certificates for NAC. I'm having trouble installing them in NAC and am not sure that I am requesting them correctly.


Thanks


Victor

IT_Data_CorporateNet Fri, 02/26/2010 - 04:53
User Badges:

Hi Victor,

What error are you getting during the certificate import? You need to create a        X509 Certification Request  (for CAS and also for CAM) under the SSL certificate section. Export the request (remember to select the Private Key also during the export of the request).


Then follow the steps in the following link:


http://technet.microsoft.com/en-us/library/cc736590%28WS.10%29.aspx


After getting the certificate follow steps to import the certificate outlined in the NAC configuration Guide.


regards,

Stanslaus.

rhobab Fri, 02/26/2010 - 06:35
User Badges:

Hello


I have managed to solved the problem. I had to convert the certificates supplied by the Microsoft CA from DER to PEM.


Victor

Actions

This Discussion