Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC Certicates - Windows 2003 CA

Hi,

Can anyone tell me if/how to generate/install a Certificate from our internal windows based certificate authority.

We have redundant CAM and CAS and need to deploy to a production environment but the only certificate is the default perfigo that the appliances come with.

5 REPLIES
Gold

Re: NAC Certicates - Windows 2003 CA

you really should read the documentation guides for this info. the nac appliances are very sensitive to the order in which certificates are installed in the larger process of a nac deployment.

here's what i usually do though:

1. create self-generated certs (which also creates a CSR) using the information you want to be put into the final cert (same hostname, IP, etc etc)

(since you're using HA, be sure to create a CSR based on the SHARED IP or hostname)

2. export CSR and private key from one CAM and one CAS

3. use CSR to request cert from 3rd party cert vendor

4. import requested cert into both CAMs and CASs, and import the private key to the other CAS/CAM whose CSR was not used to request 3rd party cert

5. import root cert of 3rd party cert vendor into all appliances

...from here, you can configure HA and add the CAS to the CAM in the orders outlined in the config guides. READ IT VERY CAREFULLY.

anyone else have anything to add? its been awhile so i might be leaving a step or two out.

http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html

New Member

Re: NAC Certicates - Windows 2003 CA

Sorry, I may have been a lttle vague.

Our internal CA server has a root cert from verisign, what we want to do is create a cert for the NAC appliances on our own CA.

Is this possible, if so how ?

Gold

Re: NAC Certicates - Windows 2003 CA

you can still use youur internal CA to issue certs, but in CA terms, unless you paid for the correct cert, your internal CA server is not a 'subordinate' CA for verisign. but as long as all your pc's going through nac have the domain root cert installed, it should avoid the SSL Cert warning you would otherwise get.

New Member

Re: NAC Certicates - Windows 2003 CA

Can you tell me how to do this ?

Gold

Re: NAC Certicates - Windows 2003 CA

139
Views
0
Helpful
5
Replies