9-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 9 Troubleshooting Device Communication and Deployment
Managing Device Communication Settings and Certificates
Security Certificate Rejected When Discovering Device
If an error occurs when you attempt to discover a device, and the error message states that the security
certificate received from the device was rejected, you need to update the certificate. You can do this using
one of the following methods:
For IPS devices only, select Manage > IPS > IPS Certificates and synchronize the certificates. You
might also need to regenerate the certificate. For more information, see Managing IPS Certificates,
page 43-10.
Manually enter the thumbprint required by the certificate by doing one of the following:
Select Tools > Security Manager Administration > Device Communication. Click Add
Certificate, enter the IP address of the device, then copy and paste the thumbprint displayed in
the error message into the Certificate Thumbprint field.
Right-click the device and select Device Properties > Credentials. Copy and paste the
thumbprint displayed in the error message into the Authentication Certificate Thumbprint field.
You must manually enter the thumbprint whenever you add a new device using the Add New Device
or Add From Configuration File options and when you perform rediscovery. It is not required when
you add a new device using the Add New Device From Network or Add Device From File options.
Configure the SSL certificate settings to automatically retrieve the certificate when adding devices.
You can select different settings for IPS, router, and ASA/PIX/FWSM devices. To configure these
settings, select Tools > Security Manager Administration > Device Communication, and look at
the SSL Certificate Parameters group.
Related Topics
Manually Adding SSL Certificates for Devices that Use HTTPS Communications, page9-4
Adding Devices to the Device Inventory, page 3-6
Chapter 2, “Preparing Devices for Management”
Device Communication Page, page 11-17
Device Credentials Page, page 3-44
Invalid Certificate Error During Device Discovery
If the time settings on the device and Security Manager are not in synchronization, when you try to
discover policies on a device (adding it to the inventory or rediscovering policies on a device already in
the inventory), an error message might state that the certificate is not yet valid.
When the time set on the Security Manager server is lagging behind the time set on the device, Security
Manager cannot validate the device certificate if the start time of the validity period is ahead of the
Security Manager time setting. Even if the time zones configured on the device and Security Manager
are the same, the invalid certificate error occurs if the daylight saving time (summertime) settings are
different. To resolve this problem, make sure that the daylight saving time settings are the same on the
device and Security Manager, regardless of whether the time zone is the same. After setting the daylight
saving time, synchronize the clock on the device with Security Manager so that both of them display the
same time.
To obtain best results, we recommend that you set the same time zone on the device and Security
Manager, and modify the time zone after you discover the certificates at a later time, if necessary.