Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC certiicate warning message

Hi all,

After upgradeding the NAC from 4.1.3 to 4.7.2, When the NAC agent login, we are getting the warning message as below

certificate issues by www.perfigo.com is suitable for test lap but production we have to go for CA certificate. Customer not interested to go for the CA one.

How to resolve this issue?

Thx in advance

swami

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAC certiicate warning message

Swami,

That message will show up when you administer the CAS or the CAM, and you have the perfigo cert in the Trusted Root Stores of those devices. Only way to get rid of it is to remove the perfigo cert from the root store, but if you do that, you have to move to another CA or use true self-signed certs.

To avoid the clients getting the untrusted warning messages you will have to add the root certificate (either perfigo or if self-signed, the identity cert itself) to the client machine's Trusted root stores.

HTH,

Faisal

7 REPLIES

Re: NAC certiicate warning message

Swami,

That message will show up when you administer the CAS or the CAM, and you have the perfigo cert in the Trusted Root Stores of those devices. Only way to get rid of it is to remove the perfigo cert from the root store, but if you do that, you have to move to another CA or use true self-signed certs.

To avoid the clients getting the untrusted warning messages you will have to add the root certificate (either perfigo or if self-signed, the identity cert itself) to the client machine's Trusted root stores.

HTH,

Faisal

Community Member

Re: NAC certiicate warning message

Faisal,

How to remove the certificate. Customer during login getting this message again and again. Since it is upgrade from 4.1.3-4.6.1 to 4.7.2, I think that except the CA of perfigo.com, there are other temporary certificates created during the CAM and CAS installation so that it is possible to remove the perfigo CA from both the CAS,CAM device. CAS is in HA and CAM is in standalone. It wound not certainly make any problem for  user login.

Thx.

Re: NAC certiicate warning message

Swami,

Look at the SSL tab on your CAS and CAM. Look at the magnifying glass icon on the right hand side. It will tell you the details of the certificate. If the "Issuer" is Perfigo, then you can't remove the perfigo certificates from the Trusted root stores, or else it will break things.

If the issuer is the IP itself of the device, then it's a true self-signed cert and you can remove perfigo from the Trusted root stores.

Best would be if you can open a TAC case and an engineer can go through with you over this, otherwise make sure you have some downtime scheduled or known before hand, before you venture removing/adding certs

HTH,

Faisal

Community Member

Re: NAC certiicate warning message

Faisal,

Thank you very much for your information. Let me verify it tomorow and update you.

Thx lot.

Community Member

Re: NAC certiicate warning message

Faisal,

I collected the details from the CAM. and the same is attached here. We can find 2 certificates one created with CAM IP and another created with perfigo.com during the upgrade process.

Can you confirm me and explain me where to go to delete the certificate. In that CAM-ssl window there is no delete button I found only view button with magnifying class icon.


I am waiting for yout reply.

Also I am very thankful for your information on ACS replication problem one of my colleague facing with the customer.

Thx

swami

Community Member

Re: NAC certiicate warning message

Faisal,

Pls find attached CAM SSL certificate and CA details.if we can delete perfigo CA then pls tell how can we delete it from CAM ssl window.

Thx

Re: NAC certiicate warning message

Swami,

That's just one identity cert and one root cert that shows up in the screen captures you shared. Perfigo is the root cert and the other cert with IP in it is the identity cert.

Since you're using perfigo, you can't delete it from your Trusted Certificate Authorities from either the CAS or the CAM, otherwise your setup will break. If you really want to get rid of the perfigo root cert, then where you see in your screenshot it says "Generate Temporary Certificate", click on that, and fill out the information. This will generate the certificate where the issuer will be the IP address of the CAM instead of the Perfigo.

You will then need to export that certificate and import it in the Trusted Certificate Authorities tab on the CAS admin page (you get to that page by going to https://IP_OF_CAS/admin)

HTH,

Faisal

589
Views
0
Helpful
7
Replies
CreatePlease to create content