B-10
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-TLS
Initial Self-Signed Certificate Generation, pageB-10
Certificate Generation, page B-10
Importing the ACS Server Certificate
When you manually import and ACS server certificate you must supply the certificate file, the private
key file, and the private key password used to decrypt the PKCS#12 private key. The certificate along
with its private-key and private-key-password, is added to the Local Certificate store. For non-encrypted
private-keys, the user supplied password may be ignored.
ACS supports PEM or DER formatted X509 certificate files. ACS verifies that an imported certificate
complies with a the X509 format and does not perform any hierarchical certificate signature verification.
When importing a certificate, you can configure the certificate for protocol that require an ACS server
certificate, such as TLS related EAP protocols and HTTPS Manageme nt protocol.
Note Only EAP and HTTPS Management protocols can be configured in ACS 5.4 for certificate-based
authentication.
The input password and private-key, which are cryptographically sensitive information, are passed over
the HTTPS channel. Using HTTPS with a non-authenticated server, for example, a self-signed certificate
for HTTPS server authentication, is not a secure method of passing this sensitive information.
Related Topics
Importing Trust Certificates, pageB-9
Initial Self-Signed Certificate Generation, pageB-10
Certificate Generation, page B-10
Initial Self-Signed Certificate Generation
An automatically generated, self-signed certificate is placed in the Local Certificate store for each ACS
server. This certificate is used to identify ACS for TLS-related EAP protocols and for HTTPS
Management protocols.
The self-signed certificate is generated with the CN equal to the machine’s hostname, as required for
HTTPS certificates, and is generated when ACS is installed.
Certificate Generation
You can generate ACS server certificates through the Web interface. The output of this process is a
certificate or a certificate request and it’s corresponding private-key and password. The generated
private-key is structured as PKCS#12 encrypted, by using a relatively strong automatically generated
password based on at least 128 bit of randomness.
You can select any of these generated private-key lengths: 512, 1024, 2048 or 4096 bit. The cer tificate
digest algorithm used by the ACS is SHA1 and SHA2 256-bit.
Note You should install Windows XP SP3 to use SHA2 256-bit certificates as management certificates.