8-72
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Configuring CA Certificates
Note ACS builds a certificate chain with the CA certificates that you add to it and uses this chain during TLS
negotiations. You must add the certificate that signed the server certificate to the CA. You must ensure
that the chain is signed correctly and that all the certificates are valid.
If the server certificate and the CA that signed the server certificate are installed on ACS, ACS sends the
full certificate chain to the client.
Related Topics
Adding a Certificate Authority, page8-72
Editing a Certificate Authority and Configuring Certificate Revocation Lists, page8-73
Deleting a Certificate Authority, page8-74
Exporting a Certificate Authority, page 8-75
Adding a Certificate Authority
The supported certificate formats are DER, PEM, or CER.
To add a trusted CA (Certificate Authority) certificate:
Step1 Select Users and Identity Stores > Certificate Authorities.
The Trust Certificate page appears.
Step2 Click Add.
Step3 Complete the fields in the Certificate File to Import page as described in Table 8 -22:
Step4 Click Submit.
The new certificate is saved. The Trust Certificate List page appears with the new certificate.
Related Topics
User Certificate Authentication, pageB-6
Overview of EAP-TLS, page B-6
Table8-22 Certificate Authority Properties Page
Option Description
Certificate File to Import
Certificate File Enter the name of the certificate file. Click Browse to navigate to the location on the
client machine where the trust certificate is located.
Trust for client with EAP-TLS Check this box so that ACS will use the certificate trust list for the EAP protocol.
Allow Duplicate Certificates Allows you to add certificates with the same CN and SKI with different Valid From, Valid
To, and Serial numbers.
Description Enter a description of the CA certificate.