Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
0
Helpful
7
Replies

NAC certiicate warning message

Go to solution
arumugasamy
Level 1
Level 1

‎02-23-2010 02:28 AM - edited ‎02-21-2020 03:53 AM

Hi all,

After upgradeding the NAC from 4.1.3 to 4.7.2, When the NAC agent login, we are getting the warning message as below

certificate issues by www.perfigo.com is suitable for test lap but production we have to go for CA certificate. Customer not interested to go for the CA one.

How to resolve this issue?

Thx in advance

swami

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Faisal Sehbai
Level 7
Level 7

‎02-23-2010 07:02 AM

Swami,

That message will show up when you administer the CAS or the CAM, and you have the perfigo cert in the Trusted Root Stores of those devices. Only way to get rid of it is to remove the perfigo cert from the root store, but if you do that, you have to move to another CA or use true self-signed certs.

To avoid the clients getting the untrusted warning messages you will have to add the root certificate (either perfigo or if self-signed, the identity cert itself) to the client machine's Trusted root stores.

HTH,

Faisal

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Faisal Sehbai
Level 7
Level 7

‎02-23-2010 07:02 AM

Swami,

That message will show up when you administer the CAS or the CAM, and you have the perfigo cert in the Trusted Root Stores of those devices. Only way to get rid of it is to remove the perfigo cert from the root store, but if you do that, you have to move to another CA or use true self-signed certs.

To avoid the clients getting the untrusted warning messages you will have to add the root certificate (either perfigo or if self-signed, the identity cert itself) to the client machine's Trusted root stores.

HTH,

Faisal

0 Helpful

Go to solution
arumugasamy
Level 1
Level 1
In response to Faisal Sehbai

‎02-23-2010 11:20 AM

Faisal,

How to remove the certificate. Customer during login getting this message again and again. Since it is upgrade from 4.1.3-4.6.1 to 4.7.2, I think that except the CA of perfigo.com, there are other temporary certificates created during the CAM and CAS installation so that it is possible to remove the perfigo CA from both the CAS,CAM device. CAS is in HA and CAM is in standalone. It wound not certainly make any problem for  user login.

Thx.

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to arumugasamy

‎02-23-2010 11:24 AM

Swami,

Look at the SSL tab on your CAS and CAM. Look at the magnifying glass icon on the right hand side. It will tell you the details of the certificate. If the "Issuer" is Perfigo, then you can't remove the perfigo certificates from the Trusted root stores, or else it will break things.

If the issuer is the IP itself of the device, then it's a true self-signed cert and you can remove perfigo from the Trusted root stores.

Best would be if you can open a TAC case and an engineer can go through with you over this, otherwise make sure you have some downtime scheduled or known before hand, before you venture removing/adding certs

HTH,

Faisal

0 Helpful

Go to solution
arumugasamy
Level 1
Level 1
In response to Faisal Sehbai

‎02-23-2010 11:35 AM

Faisal,

Thank you very much for your information. Let me verify it tomorow and update you.

Thx lot.

0 Helpful

Go to solution
arumugasamy
Level 1
Level 1
In response to Faisal Sehbai

‎02-24-2010 01:41 AM

Faisal,

I collected the details from the CAM. and the same is attached here. We can find 2 certificates one created with CAM IP and another created with perfigo.com during the upgrade process.

Can you confirm me and explain me where to go to delete the certificate. In that CAM-ssl window there is no delete button I found only view button with magnifying class icon.


I am waiting for yout reply.

Also I am very thankful for your information on ACS replication problem one of my colleague facing with the customer.

Thx

swami

0 Helpful

Go to solution
arumugasamy
Level 1
Level 1
In response to Faisal Sehbai

‎02-24-2010 04:17 AM

Faisal,

Pls find attached CAM SSL certificate and CA details.if we can delete perfigo CA then pls tell how can we delete it from CAM ssl window.

Thx

Preview file
3751 KB
0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to arumugasamy

‎02-25-2010 09:31 AM

Swami,

That's just one identity cert and one root cert that shows up in the screen captures you shared. Perfigo is the root cert and the other cert with IP in it is the identity cert.

Since you're using perfigo, you can't delete it from your Trusted Certificate Authorities from either the CAS or the CAM, otherwise your setup will break. If you really want to get rid of the perfigo root cert, then where you see in your screenshot it says "Generate Temporary Certificate", click on that, and fill out the information. This will generate the certificate where the issuer will be the IP address of the CAM instead of the Perfigo.

You will then need to export that certificate and import it in the Trusted Certificate Authorities tab on the CAS admin page (you get to that page by going to https://IP_OF_CAS/admin)

HTH,

Faisal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card