Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Replaced Expired Cert on ACS

Hi,

I replaced an ACS certificate that had been installed i then did the following:

1. Created a certificate request.

2. Issued the request to the enterprise CA.

3. Copied the certificate to an ftp server.

4. Installed the certificate on the ACS.

5. Configured the CTL again.

6. Restarted the ACS service.

8. Enable EAP-TLS.

The problem is when i try and enable EAP i get the message no ACS certificate installed.

I searched on cisco and it said to disable the CSA and follow the same process which i have done to no avail.

Any help appreciated.

Thanks

Kev

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Replaced Expired Cert on ACS

What is the current ver ?

21 REPLIES

Re: Replaced Expired Cert on ACS

Kev,

Make sure you have installed server cert on acs. Do you see the server cert if you check acs--->system configuration--->acs cert setup--->Install certificate.

It seems that you have not installed the correct certificate at the above location. The most command mistake is to install CA in the place of server cert.

Regards,

~JG

Do rate helpful posts

New Member

Re: Replaced Expired Cert on ACS

JG,

I have definately installed it in the place were you suggested. It is like the server is just ignoring the certificate.

This is the windows based soloution engine.

Thanks

Kev

New Member

Re: Replaced Expired Cert on ACS

I have done some more investigation and it turns out the CA certificate had been renewed a few days ago on the CA. I have now installed the valid cert on the ACS but i am still getting the same issue.

Cheers

Kev

Re: Replaced Expired Cert on ACS

Which vendor certificate is it ?

New Member

Re: Replaced Expired Cert on ACS

It is an internal CA issuing certificates.

Cheers

Kev

New Member

Re: Replaced Expired Cert on ACS

I found this book in the version of the ACS:

CSCef61785 Bug Details Bug #79 of 92 | < Previous | Next >

ACS Appliance fails to recognize installed certificate Symptom

ACS appliance does not recognize the installed certificate.

Conditions

Cisco Security Agent is running.

1. Install a certificate. The web interface will report the certificate as installed and validated.

2. Enable PEAP.

3. An error appears: Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using ACS Certification Authority Setup page.

Workaround

Disable the Cisco Security Agent and repeat the installation procedure. Re-enable the Cisco Security Agent.

Possibly worth upgrading?

If so can some one help me with the upgrade stages as im finding them a bit confusing.

Thanks

Kev

Re: Replaced Expired Cert on ACS

What is the current ver ?

New Member

Re: Replaced Expired Cert on ACS

3.3(3) Build 11

Thanks

Kev

New Member

Re: Replaced Expired Cert on ACS

Would just like to double check when i select the certificate type in my request i am selecting Web Server ths is correct right as it just needs to be a server SSL cert.

Cheers

Kev

New Member

Re: Replaced Expired Cert on ACS

Thanks for the help.

New Member

Re: Replaced Expired Cert on ACS

I have the exact same problem with the exact same build. Did anyone every end up coming up with a solution?

Thanks,

-John

Re: Replaced Expired Cert on ACS

John,

Make sure you are not hitting Install certificate again after uploading the cert. That was the reason kevin was not able to install it.

If you hit it again, it deletes the installed cert.

Regards,

~JG

New Member

Re: Replaced Expired Cert on ACS

Thanks for your post.

I wish it was as easy as me mistakenly removing the certificate after installation.

I'm able to see the certificate installed and I also have CSA disabled. The cert is from our own internal CA so there is no need to add anything to "Edit Certificate Trust List" is there?

Whenever I try and enable "Allow EAP-TLS" i get the following error message.

Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.

Thanks,

-John

New Member

Re: Replaced Expired Cert on ACS

John,

Have you installed the CA certificate?

If so have you checked it is in the Certificate Trust List?

Cheers

Kev

New Member

Re: Replaced Expired Cert on ACS

Yes, the certificate is installed and I have it checked it in the trust list.

-John

Re: Replaced Expired Cert on ACS

What is the ext of cert you have installed ?

New Member

Re: Replaced Expired Cert on ACS

.cer

New Member

Re: Replaced Expired Cert on ACS

Try Base 64 format.

Re: Replaced Expired Cert on ACS

Is RSA key set to 1024 or 2048 ? Use 1024.

Regards,

~JG

New Member

Re: Replaced Expired Cert on ACS

I did do the base 64 install of the cert.

It really looks as if ACS has no idea the cert is installed. On top of not allowing me to check EAP-TLS I cannot enable HTTPS either.

I'm attaching the screen shot of the cert installed so that you guys don't think I'm nuts.

Thanks,

-John

New Member

Re: Replaced Expired Cert on ACS

I forgot to add that RSA 1024 was chosen for the CSR.

Is there any other place to verify that the certificate is installed other then "Install ACS Certificate"?

Thanks,

-John

2356
Views
0
Helpful
21
Replies
CreatePlease login to create content