Chapter8 E stablishing CiscoSecure ACS System Configuration
Certification Authority Setup
8-70
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Result: Cisco Secure ACS displays the Installed Certificate Information table on
the ACS Certificate Setup page.
Note If your Cisco Secure ACS has not already been enrolled with a certificate, you
do not see the Installed Certificate Information table. Rather, you see the
Install new certificate table. If this is the case, you can proceed to Step 5.
Step 3 Click Enroll New Certificate.
Result: A confirmation dialog box appears.
Step 4 To confirm that you intend to enroll a new certificate, click OK.
Result: The existing Cisco Secure ACS certificate is removed.
Step 5 You can now install the replacement certificate in the same manner as an original
certificate. For detailed procedural information, see the “Installing
Cisco Secure ACS Certification with Manual Enrollment” section on page 8-66
or the “Installing Cisco Secure ACS Certification with Automatic Enrollment”
section on page 8-68.
Certification Authority SetupCisco Secure ACS comes preconfigured with a list of popular CAs, none of which
are enabled until you explicitly signify trustworthiness. To specify one or more
CAs as trusted for user certification, you perform the procedure in the “Editing
the Certificate Trust List” section on page 8-72.
You perform the procedure in the “Adding a New CA Certificate to Local
Certificate Storage” section on page 8-72 to add a new CA to your certificate trust
list (CTL).
Cisco Secure ACS uses the CTL to verify the client certificates. Only certificates
that were issued by a CA that exists in the Cisco Secure ACS CTL are trusted by
Cisco Secure ACS. If all the clients and Cisco Secure ACS are getting their
certificates from the same CA you do not need to add any CA to the CTL because
Cisco Secure ACS automatically trusts the CA that issues its certificate. You do
need to install the certificate for the CA that issued the Cisco Secure ACS Server
Certificate, but there is no need to add it to the CTL.