topic Re: CA problem with NAC in Network Security

CA problem with NAC

IT_Data_CorporateNet — Fri, 21 Feb 2020 11:49:48 GMT

Hello there,

I'm using Internal CA (Microsoft Win 2003 CA) to provide SSL certificates to NAC. The problem is that, end users are still getting warnings on login to the network the same way as when i was using the Perfigo Certificate. I've tried to install the server certificate to clients but still the CA is seems to be untrusted. Does this mean that i have to buy certificates from trusted Authorities like Verisign or still there is something i can do to my CA? Please help.

regards,

Stanslaus.

Re: CA problem with NAC

Faisal Sehbai — Tue, 15 Dec 2009 18:06:57 GMT

Stanslaus,

You need to take the Root certificate and install that on the clients.

HTH,

Faisal

Re: CA problem with NAC

IT_Data_CorporateNet — Tue, 15 Dec 2009 18:27:25 GMT

Hi Faisal,

Thanks for your reply. See the attachment. When on clients i click on "

To trust certificates issued from this certification authority, install this CA certificate.'". I'm not very good on setup PKI. How do i get and install the root certificate. My CA is Standalone Root CA.

Thanks.

Stanslaus.

Re: CA problem with NAC

Faisal Sehbai — Tue, 15 Dec 2009 18:37:05 GMT

Stanslaus,

If you click on that link, does it tell you to download a cert?

If so, take that file to the client and double click on it. It should install in the correct store automatically.

HTH,

Faisal

Re: CA problem with NAC

IT_Data_CorporateNet — Tue, 19 Jan 2010 08:04:52 GMT

Hi Faisal,

Happy new year 2010!!.

I was on leave and had no time to work on this.

Thanks for your assistance. I had two warnings one was that "The Certificate was not from a trusted authority" (Resolved by you last reply) and the other is saying that "The Certificate does not match the site you are viewing". This is still persisting. Please if you know the reason.

regards,

Stanslaus.

Re: CA problem with NAC

Faisal Sehbai — Sun, 24 Jan 2010 04:22:42 GMT

Stanslaus,

The second problem will come up if you're trying to access the device in question with a name that is different than what the cert says the name should be. For example if your cas is named cas1.abc.com and you try to access it with the url consisting of the ip address for that CAS, you will see that message. Ensure that the CN you have for the certificate is what you're using to access the CAS and you shouldn't see that problem.

HTH,

Faisal

Re: CA problem with NAC

IT_Data_CorporateNet — Sun, 24 Jan 2010 17:59:56 GMT

Thanks Faisal,

At the begining i created Certificate requests using FQDN of the appliances as CN. Although i could access the appliances using FQDNs for some reasons CAS was redirecting using IP Address. I've recreated the Certificates using IPs as CNs and now it is working fine. Thank you very much for your support.

regards,

Stanslaus.

Re: CA problem with NAC

rhobab — Mon, 22 Feb 2010 16:41:36 GMT

Hello. Could you help on how you managed to get the Microsoft CA to issue

certificates for NAC. I'm having trouble installing them in NAC and am not sure that I am requesting them correctly.

Thanks

Victor

Re: CA problem with NAC

IT_Data_CorporateNet — Fri, 26 Feb 2010 12:53:10 GMT

Hi Victor,

What error are you getting during the certificate import? You need to create a X509 Certification Request (for CAS and also for CAM) under the SSL certificate section. Export the request (remember to select the Private Key also during the export of the request).

Then follow the steps in the following link:

http://technet.microsoft.com/en-us/library/cc736590%28WS.10%29.aspx

After getting the certificate follow steps to import the certificate outlined in the NAC configuration Guide.

regards,

Stanslaus.

Re: CA problem with NAC

rhobab — Fri, 26 Feb 2010 14:35:01 GMT

Hello

I have managed to solved the problem. I had to convert the certificates supplied by the Microsoft CA from DER to PEM.

Victor