Chapter 8 Managing Users and Identity Stores

Configuring CA Certificates

You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs).

Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems.

Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate. For more information, see Configuring Local Server Certificates, page 18-14.

Note ACS builds a certificate chain with the CA certificates that you add to it and uses this chain during TLS negotiations. You must add the certificate that signed the server certificate to the CA. You must ensure that the chain is signed correctly and that all the certificates are valid.

If the server certificate and the CA that signed the server certificate are installed on ACS, ACS sends the full certificate chain to the client.

Related Topics

Adding a Certificate Authority, page 8-69

Editing a Certificate Authority and Configuring Certificate Revocation Lists, page 8-70

Deleting a Certificate Authority, page 8-71

Exporting a Certificate Authority, page 8-72

Adding a Certificate Authority

The supported certificate formats are DER, PEM, or CER.

To add a trusted CA (Certificate Authority) certificate:

Step 1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate page appears.

Step 2 Click Add.

Step 3 Complete the fields in the Certificate File to Import page as described in Table 8-19:

Table 8-19 Certificate Authority Properties Page

Option

Description

Certificate File to Import

Certificate File

Enter the name of the certificate file. Click Browse to navigate to the location on the

 

client machine where the trust certificate is located.

 

 

Trust for client with EAP-TLS

Check this box so that ACS will use the certificate trust list for the EAP protocol.

 

 

Allow Duplicate Certificates

Allows you to add certificates with the same CN and SKI with different Valid From, Valid

 

To, and Serial numbers.

 

 

Description

Enter a description of the CA certificate.

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

8-69

 

 

 

 

 

Page 220 Page 222
Page 221
Image 221
Cisco Systems OL-24201-01 manual Adding a Certificate Authority, Select Users and Identity Stores Certificate Authorities
Page 220 Page 222
Top Page Image Contents