Problems generating a cert for ACS 4.1 using MS 2008 R2 Cert Svcs

Unanswered Question
Sep 17th, 2010
User Badges:

I am having difficulty installing a certicate on ACS that was generated using Microsoft Certificate services under Server 2008 R2.  The problem I'm having is finding documentation that addresses using ACS 4.1 and Microsoft Cert Svcs 2008 R2.  There is plenty of documentation using Server 2003 Cert Svcs but not 2008.


I follow the instructions for 2003 and there are differences in the interfaces.  I think I'm picking the right options but after the cert is installed and the CA is added, I still can't turn on SSL because it says there are no certs installed.  I installed the self signed cert and that worked.  Cant figure out what I'm doing wrong.  Can anyone provide instructions for generating the cert using Server 2008 R2 certificate services?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nathaniel Austin Mon, 09/20/2010 - 06:52
User Badges:
  • Cisco Employee,

Hi cchughes,


Unfortunately I don't think we have anything yet with a Windows 2008 R2 cert server, however I do have a 2008 (non-R2) server here that I use and it works. I'm not sure if there were any massive changes between 2008 and 2008 R2 in regards to that.


On my 2008 server (assuming I generated a Certificate Signing Request or CSR on ACS) I access the web gui and click on "Request a Certificate" > "Advanced Certificate Request" and can paste in my CSR on that page. The big thing to remember on that page is to use a certificate template that includes the correct fields for an ACS, in my case I choose "Web Server".


The certificate HAS to have a value of "Server Authentication" in the "Enhanced Key Usage" field. If a template is selected that doesn't add that then the ACS may not accept it.


Did you see any errors when trying to upload the cert to ACS?


Thanks,


Nate

cchughes Mon, 09/20/2010 - 10:54
User Badges:

Thanks Nate.


Here's what I tried:


After receiving your response I tried again and it worked.  I had to create a template on the sert server and use it when generating the cert.  I couldnt find "Server Authentication" in the "Enhanced Key Usage" field.  It only gave the option of exchange or encrypt or both exchange and encrypt.  I left it at the default.


The only thing I did different was the template I used.  The cert template "Web Server" didnt work.  I copied it as a server 2003 template and that was the trick.  Previously I created a server 2008 template that did not work.


For anyone reading this the closest instructions I could find are at:

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#backinfo


They dont mention that you need a server 2003 template in the instructions on how to create a template tho...

Actions

This Discussion

Related Content