https://community.cisco.com/t5/network-security/failover-nac-server-with-ca-cert-help/m-p/1489161#M738347 <P>Hi everybody.</P><P></P><P><SPAN class="long_text" id="result_box"><SPAN>I have worked with projects of NAC, but recently working with Failover have some doubts.<BR /><BR /></SPAN><SPAN style="background-color: #fff;">Speaking in an easy to understand exactly what processes to configure failover with certificates generated by CA?<BR /><BR /></SPAN><SPAN style="background-color: #fff;">1 - CA to be the domain?<BR /><BR /></SPAN><SPAN>Let's take an easy example:<BR /></SPAN><SPAN style="background-color: #fff;">I Have CAS01 (real ip) and CAS02 (real IP)<BR /><BR /></SPAN><SPAN style="background-color: #fff;">2 - CAS01 I access the tab "X509 Certification Request" and generate CSR with the information:<BR /><BR /></SPAN><SPAN style="background-color: #fff;">CN = CAS.domain; CAS = (ip service)<BR /><BR /></SPAN><SPAN style="background-color: #fff;">3 - I selected the private key + Certificate request and click in Export (save)= CSR.pem Certificate request generated by CAS01 and import this file to the CA in which will generate the certificate.cert (based on the CSR and the private key CAS01).<BR /><BR /></SPAN><SPAN style="background-color: #fff;">4 - After the file certificate.cert in hand, I care for this CAS01 (X509 Certificate tab) + root.cert (CA = certificate of Trusted Certificate Authorities tab).<BR /><BR /></SPAN><SPAN style="background-color: #fff;">5 - I'll do the failover configurations in this tab to complete steps in CAS01.<BR /><BR /></SPAN><SPAN>------------------------------------------CAS02 ----------------------------------------<BR /><BR /></SPAN><SPAN>Now come the questions:<BR /><BR /></SPAN><SPAN style="background-color: #fff;">According to documentation, I use the same certificate+privatekey and care for the CAS02.<BR /></SPAN><SPAN style="background-color: #fff;">But when I do this because I had message like "private key not found".</SPAN></SPAN></P><P></P><P><SPAN class="long_text"><SPAN style="background-color: #fff;">In others case, when I exported the&nbsp; certicate + private key(CAS01 - x509 certificate TAB) and Imported to the CAS02, the CAS02 takes the IP Service and CAS01 and CAS02 were inaccessible.&nbsp; : 0 </SPAN><SPAN style="color: #000; background-color: #e6ecf9;">What is the correct way when using certificates generated by CA??</SPAN></SPAN></P><P><BR /></P><P><SPAN style="color: #000; background-color: #e6ecf9; "><SPAN class="long_text" id="result_box"><SPAN style="background-color: #fff;"><BR /></SPAN><SPAN style="background-color: #ebeff9;">We can describe in detail the processes in CAS02??<BR /></SPAN><SPAN style="background-color: #fff;">Is there any case incorrect in CAS01??</SPAN></SPAN></SPAN></P> Fri, 21 Feb 2020 12:03:19 GMT Tiago Andrade de Paula 2020-02-21T12:03:19Z https://community.cisco.com/t5/network-security/failover-nac-server-with-ca-cert-help/m-p/1489161#M738347 <P>Hi everybody.</P><P></P><P><SPAN class="long_text" id="result_box"><SPAN>I have worked with projects of NAC, but recently working with Failover have some doubts.<BR /><BR /></SPAN><SPAN style="background-color: #fff;">Speaking in an easy to understand exactly what processes to configure failover with certificates generated by CA?<BR /><BR /></SPAN><SPAN style="background-color: #fff;">1 - CA to be the domain?<BR /><BR /></SPAN><SPAN>Let's take an easy example:<BR /></SPAN><SPAN style="background-color: #fff;">I Have CAS01 (real ip) and CAS02 (real IP)<BR /><BR /></SPAN><SPAN style="background-color: #fff;">2 - CAS01 I access the tab "X509 Certification Request" and generate CSR with the information:<BR /><BR /></SPAN><SPAN style="background-color: #fff;">CN = CAS.domain; CAS = (ip service)<BR /><BR /></SPAN><SPAN style="background-color: #fff;">3 - I selected the private key + Certificate request and click in Export (save)= CSR.pem Certificate request generated by CAS01 and import this file to the CA in which will generate the certificate.cert (based on the CSR and the private key CAS01).<BR /><BR /></SPAN><SPAN style="background-color: #fff;">4 - After the file certificate.cert in hand, I care for this CAS01 (X509 Certificate tab) + root.cert (CA = certificate of Trusted Certificate Authorities tab).<BR /><BR /></SPAN><SPAN style="background-color: #fff;">5 - I'll do the failover configurations in this tab to complete steps in CAS01.<BR /><BR /></SPAN><SPAN>------------------------------------------CAS02 ----------------------------------------<BR /><BR /></SPAN><SPAN>Now come the questions:<BR /><BR /></SPAN><SPAN style="background-color: #fff;">According to documentation, I use the same certificate+privatekey and care for the CAS02.<BR /></SPAN><SPAN style="background-color: #fff;">But when I do this because I had message like "private key not found".</SPAN></SPAN></P><P></P><P><SPAN class="long_text"><SPAN style="background-color: #fff;">In others case, when I exported the&nbsp; certicate + private key(CAS01 - x509 certificate TAB) and Imported to the CAS02, the CAS02 takes the IP Service and CAS01 and CAS02 were inaccessible.&nbsp; : 0 </SPAN><SPAN style="color: #000; background-color: #e6ecf9;">What is the correct way when using certificates generated by CA??</SPAN></SPAN></P><P><BR /></P><P><SPAN style="color: #000; background-color: #e6ecf9; "><SPAN class="long_text" id="result_box"><SPAN style="background-color: #fff;"><BR /></SPAN><SPAN style="background-color: #ebeff9;">We can describe in detail the processes in CAS02??<BR /></SPAN><SPAN style="background-color: #fff;">Is there any case incorrect in CAS01??</SPAN></SPAN></SPAN></P> Fri, 21 Feb 2020 12:03:19 GMT https://community.cisco.com/t5/network-security/failover-nac-server-with-ca-cert-help/m-p/1489161#M738347 Tiago Andrade de Paula 2020-02-21T12:03:19Z https://community.cisco.com/t5/network-security/failover-nac-server-with-ca-cert-help/m-p/1489162#M738376 <HTML><HEAD></HEAD><BODY><P>Tiago,</P><P></P><P><SPAN>Please reveiw this document first: </SPAN><A class="jive-link-external-small" href="http://bit.ly/aGr7bw">http://bit.ly/aGr7bw</A></P><P></P><P>In case of CA signed certificates, you would follow the same procedure. The only difference is that before you start installing the certificate, make sure that the root certificate from the CA is installed in the Trusted Certificate Authorities of both the CASs. Once that is in place, generate the cert from one CAS, and then install the pvk+cert on both.</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Mon, 16 Aug 2010 14:45:01 GMT https://community.cisco.com/t5/network-security/failover-nac-server-with-ca-cert-help/m-p/1489162#M738376 Faisal Sehbai 2010-08-16T14:45:01Z