Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.5 Trust Communication

Dear All,

Has anyone had any experience using the new "Trust Communication" feature in ACS 5.5 ?

I am wanting to know if this will work with self signed certs, or even a public wildcard cert, i.e. *.domain.com

I have tried exporting the self signed certs and then importing on the other appliances which I want to register against, but every time ACS states that the certificate is invalid, leading me to think that this will only work using certs which have been signed by a trusted 3rd party.

 

Any help would be greatly appreciated.

 

Chris.

 

3 REPLIES
Cisco Employee

Have you tried importing the

Have you tried importing the self-signed cert of primary on secondary and vice-versa?

When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other.

 
Configuring Trust Communication in a Distributed Deployment
 
Before enabling Trust Communication between nodes in a distributed deployment, you need to make sure that you have done the following:
 
1. Add a trusted Certificate Authority (CA) certificate in your Primary ACS instance.
 
2. Add a management server certificate duly signed by a valid CA to the primary ACS instance.
 
3. Add a trusted CA to the ACS instance which is going to be registered as a secondary ACS instance.
 
4. Add a management server certificate duly signed by a valid CA to the ACS instance that is going to be registered as a secondary ACS instance.
 
5. Make sure that the CA that issued the server certificate of the secondary instance is present in the primary instance and that the CA that issued the server certificate of the primary instance is present in the secondary instance.
 

~BR

Jatin Katyal

**Do rate helpful posts**

 

~BR Jatin Katyal **Do rate helpful posts**
New Member

Hi Jatin, Many thanks for

Hi Jatin,

 

Many thanks for your response.

Yes, I have exported the self signed cert and private key from the primary, and imported onto the secondary, and visa versa. When I try and register the secondary to the primary I get an error message saying "invalid cert". I am wondering if the self signed cert that was originally generated during the installation is incorrect because it doesnt contain the FQDN of the server in its CN field (for both the primary and secondary servers)

I will try and re-create it with the FQDN in the CN.

Incidentally, should self signed certs work ok ?

 

Thanks,

 

Chris.

Bronze

I'm not interested in waking

I'm not interested in waking up a dead thread, but since this gives context to my own experience from today I thought I should write something up for posterity. 

I read in a few threads across the forums that a private key was necessary and that the public keys for primary server had to be loaded on the primary and secondaries. That was not my experience. What was necessary to get it to work in my use case was:

1) Add the public keys for root CA and intermediate CA certificates under Certificate Authorities

2) For each ACS server:

2.1) Under Local Certificates, generate a CSR with a CN of CN=servername 

2.2) Submit the CSR at your CA and export the DER/PEM certificate

2.3) Install the certificate in the relevent ACS server using Add and Bind-CA

2.4) Enable Trust Communications

3) Cluster the servers together through Deployment (standard procedure)

917
Views
0
Helpful
3
Replies