02-23-2010 02:28 AM - edited 02-21-2020 03:53 AM
Hi all,
After upgradeding the NAC from 4.1.3 to 4.7.2, When the NAC agent login, we are getting the warning message as below
certificate issues by www.perfigo.com is suitable for test lap but production we have to go for CA certificate. Customer not interested to go for the CA one.
How to resolve this issue?
Thx in advance
swami
Solved! Go to Solution.
02-23-2010 07:02 AM
Swami,
That message will show up when you administer the CAS or the CAM, and you have the perfigo cert in the Trusted Root Stores of those devices. Only way to get rid of it is to remove the perfigo cert from the root store, but if you do that, you have to move to another CA or use true self-signed certs.
To avoid the clients getting the untrusted warning messages you will have to add the root certificate (either perfigo or if self-signed, the identity cert itself) to the client machine's Trusted root stores.
HTH,
Faisal
02-23-2010 07:02 AM
Swami,
That message will show up when you administer the CAS or the CAM, and you have the perfigo cert in the Trusted Root Stores of those devices. Only way to get rid of it is to remove the perfigo cert from the root store, but if you do that, you have to move to another CA or use true self-signed certs.
To avoid the clients getting the untrusted warning messages you will have to add the root certificate (either perfigo or if self-signed, the identity cert itself) to the client machine's Trusted root stores.
HTH,
Faisal
02-23-2010 11:20 AM
Faisal,
How to remove the certificate. Customer during login getting this message again and again. Since it is upgrade from 4.1.3-4.6.1 to 4.7.2, I think that except the CA of perfigo.com, there are other temporary certificates created during the CAM and CAS installation so that it is possible to remove the perfigo CA from both the CAS,CAM device. CAS is in HA and CAM is in standalone. It wound not certainly make any problem for user login.
Thx.
02-23-2010 11:24 AM
Swami,
Look at the SSL tab on your CAS and CAM. Look at the magnifying glass icon on the right hand side. It will tell you the details of the certificate. If the "Issuer" is Perfigo, then you can't remove the perfigo certificates from the Trusted root stores, or else it will break things.
If the issuer is the IP itself of the device, then it's a true self-signed cert and you can remove perfigo from the Trusted root stores.
Best would be if you can open a TAC case and an engineer can go through with you over this, otherwise make sure you have some downtime scheduled or known before hand, before you venture removing/adding certs
HTH,
Faisal
02-23-2010 11:35 AM
Faisal,
Thank you very much for your information. Let me verify it tomorow and update you.
Thx lot.
02-24-2010 01:41 AM
Faisal,
I collected the details from the CAM. and the same is attached here. We can find 2 certificates one created with CAM IP and another created with perfigo.com during the upgrade process.
Can you confirm me and explain me where to go to delete the certificate. In that CAM-ssl window there is no delete button I found only view button with magnifying class icon.
I am waiting for yout reply.
Also I am very thankful for your information on ACS replication problem one of my colleague facing with the customer.
Thx
swami
02-24-2010 04:17 AM
02-25-2010 09:31 AM
Swami,
That's just one identity cert and one root cert that shows up in the screen captures you shared. Perfigo is the root cert and the other cert with IP in it is the identity cert.
Since you're using perfigo, you can't delete it from your Trusted Certificate Authorities from either the CAS or the CAM, otherwise your setup will break. If you really want to get rid of the perfigo root cert, then where you see in your screenshot it says "Generate Temporary Certificate", click on that, and fill out the information. This will generate the certificate where the issuer will be the IP address of the CAM instead of the Perfigo.
You will then need to export that certificate and import it in the Trusted Certificate Authorities tab on the CAS admin page (you get to that page by going to https://IP_OF_CAS/admin)
HTH,
Faisal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide