Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Self Signed Certificate for CCA (NAC) CAM


I recently upgraded my CCA servers to 4.1.6 and it wants me to replace the temporary cert on the CAM. I have replaced it with a cert I have signed with my CA and uploaded my CA Cert into the CAM and the CAS.

The CAM is happy, and my web browser will verify the cert, however I can't get communication with between the CAM and CAS to work. Anyone had any luck with this?

New Member

Re: Self Signed Certificate for CCA (NAC) CAM

Hi Peter,

Are your CAS certs signed by the CA too? Is there anything in the CAM log about certificate errors?


New Member

Re: Self Signed Certificate for CCA (NAC) CAM


Yes I had loaded my CA cert into NAC as a CA Authority but I found another problem, to do with upgrading to 4.1.6, which is probably giving me grief and I'm waiting for the TAC to solve that one before I try again.

New Member

Re: Self Signed Certificate for CCA (NAC) CAM

Did you find the solution for it.

I am also looking for it it is really a pain to first produce Certificates from any CA server then do this.

New Member

Re: Self Signed Certificate for CCA (NAC) CAM

Got my cert to work after fixing my other problem.

The other problem was a single space after -----End Certificate-----

in the cert I bought for the CAS.

My formulae for creating a self signed cert was

# Create a private key and certificate request # for your own CA:

openssl req -new -newkey rsa:2048 -out ca.csr -keyout ca.key

# Create your CA's self-signed certificate

# Set the days to 3650 so it will last 10 years

openssl x509 -trustout -signkey ca.key -days 3650 -req -in ca.csr -out ca.pem

#edit ca.pem so that the strings


# Generate a key for the server Cert

openssl genrsa -out server.key 2048

# Generate a cert signing request for the server

openssl req -new -key server.key -out server.csr

# Sign the request using your CA

# contains something like 02

openssl x509 -req -in server.csr -CA ca.pem -days 3650 -CAkey ca.key -CAserial -out server.pem

You prolly want to edit your openssl.cnf first and fill in some of the defaults.

CreatePlease login to create content