Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1782
Views
0
Helpful
3
Replies

ACS 5.5 Trust Communication

cbeswick
Level 1
Level 1

‎03-11-2014 04:30 AM - edited ‎03-10-2019 09:31 PM

Dear All,

Has anyone had any experience using the new "Trust Communication" feature in ACS 5.5 ?

I am wanting to know if this will work with self signed certs, or even a public wildcard cert, i.e. *.domain.com

I have tried exporting the self signed certs and then importing on the other appliances which I want to register against, but every time ACS states that the certificate is invalid, leading me to think that this will only work using certs which have been signed by a trusted 3rd party.

 

Any help would be greatly appreciated.

 

Chris.

 

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎03-12-2014 10:58 PM

Have you tried importing the self-signed cert of primary on secondary and vice-versa?

When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other.

 
Configuring Trust Communication in a Distributed Deployment
 
Before enabling Trust Communication between nodes in a distributed deployment, you need to make sure that you have done the following:
 
1. Add a trusted Certificate Authority (CA) certificate in your Primary ACS instance.
 
2. Add a management server certificate duly signed by a valid CA to the primary ACS instance.
 
3. Add a trusted CA to the ACS instance which is going to be registered as a secondary ACS instance.
 
4. Add a management server certificate duly signed by a valid CA to the ACS instance that is going to be registered as a secondary ACS instance.
 
5. Make sure that the CA that issued the server certificate of the secondary instance is present in the primary instance and that the CA that issued the server certificate of the primary instance is present in the secondary instance.
 

~BR

Jatin Katyal

**Do rate helpful posts**

 

~Jatin
0 Helpful

cbeswick
Level 1
Level 1
In response to Jatin Katyal

‎03-13-2014 01:03 AM

Hi Jatin,

 

Many thanks for your response.

Yes, I have exported the self signed cert and private key from the primary, and imported onto the secondary, and visa versa. When I try and register the secondary to the primary I get an error message saying "invalid cert". I am wondering if the self signed cert that was originally generated during the installation is incorrect because it doesnt contain the FQDN of the server in its CN field (for both the primary and secondary servers)

I will try and re-create it with the FQDN in the CN.

Incidentally, should self signed certs work ok ?

 

Thanks,

 

Chris.

0 Helpful

Nadav
Level 7
Level 7
In response to cbeswick

‎11-01-2015 12:30 PM

I'm not interested in waking up a dead thread, but since this gives context to my own experience from today I thought I should write something up for posterity. 

I read in a few threads across the forums that a private key was necessary and that the public keys for primary server had to be loaded on the primary and secondaries. That was not my experience. What was necessary to get it to work in my use case was:

1) Add the public keys for root CA and intermediate CA certificates under Certificate Authorities

2) For each ACS server:

2.1) Under Local Certificates, generate a CSR with a CN of CN=servername 

2.2) Submit the CSR at your CA and export the DER/PEM certificate

2.3) Install the certificate in the relevent ACS server using Add and Bind-CA

2.4) Enable Trust Communications

3) Cluster the servers together through Deployment (standard procedure)

0 Helpful
Customers Also Viewed These Support Documents