05-03-2010 03:22 AM - edited 03-10-2019 05:06 PM
I got this error message(see attached image) when trying to bind a certificate from a CA.
I generated a CSR on ACS 5.1 and sent it to the CA to get signed. I got a certificate from the CA which I tried to bind. I went to System Administration -> Configuration -> Local Server Certificates -> Local Certificates to created a certificated and chose the Bind certificate option. I then browse to the certificate I got from the CA and click finish but got this error message.
What is wrong with the certificate that failed validation? Is it my configuration at the ACS or is it the CA? I have decoded the certificate to compare the details and nothing wrong there. I have a seconds ACS which I did the same thing and had the same problem.
05-03-2010 07:32 AM
In what format was the signed certificate returned to you by the CA?
05-03-2010 02:27 PM
Hi Javier, thanks for your previous reply.
I got a .p7b file which I assume is a PKCS #7 file?
I got an email(titled "Your Standard Intranet SSL Certificate Is Ready") with that file attached, certficate information such as serial number, validity period, subject information and issuer information, enrollment information and the certificate in ASCII.
I have read somewhere that Cisco don't accept certifcates from some CA but mine is in the list of accepted one, whch is Verisign.
05-04-2010 04:50 AM
I have managed to bind the certificate now. I went to check the link given to me by the CA and found two certificates, one in PKCS#7 and X509 format. I tried the X509 format and the ACS successfully binded it.
It works but I want to know how it all works.PKCS#7 includes the Intermediate CA while X509 doesn't. The X509 certificate comes with a message stating that Intermediate CA needs to be installed seperately. I have found it and can install it, but what is it used for? I also found the CA certificate. So there is three certificate, CA, Intermediate CA and X509. How does it all come together, or does anyone have a link on a good guide on how it works?
I am trying to configure wireless authentication using PEAP-MSCHAPv2 using Cisco WLC, ACS as RADIUS server and Windows AD as the database. Is there anything I need to know about certificates in this deployment?
05-04-2010 09:01 AM
The intermediate and root CA have to be added to the list of CA's, for ACS to trust the certificate signed with that chain of trust.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: