Cisco Systems OL-24201-01 manual Acquiring Local Certificates, Fixed Management Certificates

Appendix B Authentication in ACS 5.3

EAP-TLS

Fixed Management Certificates

ACS generates and uses self-signed certificates to identify various management protocols such as the Web browser, HTTPS, ActiveMQ SSH, and SFTP.

Self-signed certificates are generated when ACS is installed and are maintained locally in files outside of the ACS database. You cannot modify or export these certificates. You can, however, assign imported certificates to management interfaces.

Importing Trust Certificates

ACS supports PEM or DER formatted X509 certificate files. You can add a trust certificate to the trust certificate store. ACS verifies that an imported certificate complies with the X509 format and does not perform any hierarchical certificate signature verification. ACS also supports the Microsoft proprietary private key format.

You can mark the acquired certificate for immediate trust for TLS related EAP protocols as the EAP CTL. The trust certificate store does not allow for duplicate trust certificates. These are the rules for rejecting certificates:

•Two certificates cannot have the same subject.

•Two certificates cannot have the same issuer and the same serial-number.

Acquiring Local Certificates

This topic describes the methods for ACS to acquire PKI credentials, and the ways that you can sets the public or private keys pairs to each ACS server in the ACS domain.

An X509 certificate contains the credentials which include the public key, and a PKCS#12 [?10.1] that holds the private key protected with a password that goes with it.

The ACS domain may have more than a single ACS server; each domain should have its own set of PKI key pairs to identify itself through the appropriate interfaces.

Some interfaces may require that the certificate that identifies ACS, contain the IP or FQDN of the ACS server, in its Common Name (CN) for better binding of the certificate to the IP of the server, for example, the HTTPS ACS server certificate which is used for the Web interface.

For other interfaces, it may be possible to use a common certificate that can be shared between the servers, however, Cisco does not recommend that you use a common certificate. Each ACS PKI credentials may be obtained either from a self-signed certificate or a certificate signed by a common certificate authority (CA).

For protocols that require the ACS identification, clients should be deployed with at least the lowest common certificate that dominates all the ACS servers certificates that are used to identify each ACS.

You can pick the PKI policy to be used in your organization and configure the PKI credentials for the ACS domain.

The configured certificate with its private-key should not be used outside the ACS machine

Related Topics

•Importing the ACS Server Certificate, page B-10

•Initial Self-Signed Certificate Generation, page B-10

•Certificate Generation, page B-10

User Guide for Cisco Secure Access Control System 5.3