Chapter 8 Managing Users and Identity Stores

Configuring CA Certificates

Step 4 Click Submit.

The new certificate is saved. The Trust Certificate List page appears with the new certificate.

Related Topics

User Certificate Authentication, page B-6

Overview of EAP-TLS, page B-6

Editing a Certificate Authority and Configuring Certificate Revocation Lists

Use this page to edit a trusted CA (Certificate Authority) certificate.

Step 1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate page appears with a list of configured certificates.

Step 2 Click the name that you want to modify, or check the check box for the Name, and click Edit.

Complete the fields in the Edit Trust Certificate List Properties Page as described in Table 8-20:

When ACS delays the CA CRL, CA is retained on the local file system. The CA is not refreshed until you resubmit it.

By default ACS will fail all user certificates of a CA for which the CRL has expired.

If CA is resubmitted, the following error is shown: 12514 EAP-TLS failed SSL/TLS handshake. This is because of the unknown CA.

If CA is not resubmitted, the following error is shown: 12515 EAP-TLS failed SSL/TLS handshake.This is because of the expired CRL.

If you choose Ignore CRL Expiration, authentication will fail for revoked certificates and successful for non-revoked certificates.

Table 8-20 Edit Certificate Authority Properties Page

 

Option

Description

 

 

 

 

 

Issuer

 

 

 

 

 

 

 

Friendly Name

The name that is associated with the certificate.

 

 

 

 

Description

(Optional) A brief description of the CA certificate.

 

 

 

 

Issued To

Display only. The entity to which the certificate is issued. The name that appears is

 

 

 

 

 

 

from the certificate subject.

 

 

 

 

Issued By

Display only. The certification authority that issued the certificate.

 

 

 

 

Valid from

Display only. The start date of the certificate’s validity. An X509 certificate is valid

 

 

 

 

 

 

only from the start date to the end date (inclusive).

 

 

 

 

Valid To (Expiration)

Display only. The last date of the certificate’s validity.

 

 

 

 

Serial Number

Display only. The serial number of the certificate.

 

 

 

 

Description

Description of the certificate.

 

 

 

 

 

Usage

 

 

 

 

 

 

 

Trust for client with EAP-TLS

Check this box so that ACS will use the trust list for the TLS related EAP protocols.

 

 

 

 

 

 

 

 

 

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

 

 

 

 

 

8-70

 

 

 

 

OL-24201-01

 

 

 

 

 

 

 

Page 222
Image 222
Cisco Systems OL-24201-01 manual Description of the certificate