Cisco Systems OL-24201-01 manual Exporting Credentials

Appendix B Authentication in ACS 5.3

EAP-TLS

There are two types of certificate generation:

•Self signing certificate generation — ACS supports generation of an X.509 certificate and a PKCS#12 private key. The passphrase used to encrypt the private key in the PKCS#12 automatically generates stronger passwords, and the private key is hidden in the local certificate store.

You can select the newly generated certificate for immediate use for HTTPS Management protocol, for TLS-related EAP protocols, or both.

•Certificate request generation—ACS supports generation of a PKCS#10 certificate request with a PKCS#12 private key. The request is downloaded through the Web interface and should be formatted with PEM representation with a REQ extension.

The passphrase used to encrypt the private key in the PKCS#12 automatically generates stronger passwords, and the private-key is hidden in the ACS database. You can download the request file to be signed offline by the RA.

After the RA signs the request, you can install the returned signed certificate on ACS and bind the certificate with its corresponding private key. The binding of certificate and its private key is automatic.

After binding the signed certificate with the private key, you can mark this certificate for immediate use for HTTPS Management protocol, for TLS-related EAP protocols, or both.

Related Topics

•Configuring CA Certificates, page 8-68

•Configuring Certificate Authentication Profiles, page 8-72

•EAP-TLS Flow in ACS 5.3, page B-13

Exporting Credentials

You can export a general trust certificates, an ACS server certificate with or without private keys, and previously generated certificates requests from the certificate stores. You cannot export the request for a private-key. You can download certificates file with a .CER extension. The file format is not changed from the format that is imported into ACS.

You can download the public certificate as a regular certificate with .CER extension for ACS server certificates, that also contain a private key. The file format is retained.

You can export a public request to re-issue a certificate request to an RA, for certificate-requests. The request is downloaded with an REQ extension and is formatted identically to the format that it was generated by.

Only administrators with the highest administrator privileges can export the certificate private key and its password. A warning about the security implications of such an action is conveyed twice, to approve the export operation.

After this double check, the private-key files can be downloaded as a .PVK extension, and the private-key password can be downloaded as a .PWD extension. The private-key file format is retained.