This document describes how to configure and install exportable certificate from Microsoft Windows 2003 software using CSR from Cisco Secure Access Control Server (ACS) 5.1 for Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2.
ACS 5.1 Certificate Setup
Configure Exportable Certificate for ACS
Note: The ACS server must obtain a server certificate from the enterprise root CA server in order to authenticate a WLAN PEAP client.
Note: Make sure that the IIS Manager is not open during the certificate setup process as causes problems with cached information.
Log in to the ACS server with an account Admin rights.
Go to System Administration > Configuration > Local Server Certificates. Click Add.
When you choose a server certificate creation method, choose Generate Certificate Signing Request. Click Next
Enter a certificate subject and key length as the example, then click Finish:
Certificate Subject - CN=acs.demo.local
Key Length - 1024
ACS will prompt that a certificate signing request has been generated. Click OK.
Under System Administration, go to Configuration > Local Server Certificates > Outstanding Signing Requests.
Note: The reason for this step is that Windows 2003 does not allow for exportable keys and you need to generate a certificate request based on the ACS Certificate that you created earlier that does.
Choose the Certificate Signing Request entry, and click Export.
Save the ACS certificate .pem file to the desktop.