https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284338#M826880 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-custom" href="http://technet.microsoft.com/en-us/library/cc780649" target="_blank">http://technet.microsoft.com/en-us/library/cc780649</A>(WS.10).aspx</P></BODY></HTML> Wed, 17 Jun 2009 12:46:39 GMT srue 2009-06-17T12:46:39Z https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284333#M826875 <P>Hi,</P><P></P><P>Can anyone tell me if/how to generate/install a Certificate from our internal windows based certificate authority.</P><P></P><P>We have redundant CAM and CAS and need to deploy to a production environment but the only certificate is the default perfigo that the appliances come with.</P> Fri, 21 Feb 2020 11:31:08 GMT https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284333#M826875 r.robins 2020-02-21T11:31:08Z https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284334#M826876 <HTML><HEAD></HEAD><BODY><P>you really should read the documentation guides for this info. the nac appliances are very sensitive to the order in which certificates are installed in the larger process of a nac deployment. </P><P></P><P>here's what i usually do though:</P><P></P><P>1. create self-generated certs (which also creates a CSR) using the information you want to be put into the final cert (same hostname, IP, etc etc)</P><P>(since you're using HA, be sure to create a CSR based on the SHARED IP or hostname) </P><P>2. export CSR and private key from one CAM and one CAS</P><P>3. use CSR to request cert from 3rd party cert vendor</P><P>4. import requested cert into both CAMs and CASs, and import the private key to the other CAS/CAM whose CSR was not used to request 3rd party cert</P><P>5. import root cert of 3rd party cert vendor into all appliances</P><P></P><P>...from here, you can configure HA and add the CAS to the CAM in the orders outlined in the config guides. READ IT VERY CAREFULLY.</P><P></P><P>anyone else have anything to add? its been awhile so i might be leaving a step or two out.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html" target="_blank">http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html</A></P></BODY></HTML> Tue, 16 Jun 2009 18:51:34 GMT https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284334#M826876 srue 2009-06-16T18:51:34Z https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284335#M826877 <HTML><HEAD></HEAD><BODY><P>Sorry, I may have been a lttle vague.</P><P></P><P>Our internal CA server has a root cert from verisign, what we want to do is create a cert for the NAC appliances on our own CA.</P><P></P><P>Is this possible, if so how ?</P><P></P></BODY></HTML> Wed, 17 Jun 2009 07:51:46 GMT https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284335#M826877 r.robins 2009-06-17T07:51:46Z https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284336#M826878 <HTML><HEAD></HEAD><BODY><P>you can still use youur internal CA to issue certs, but in CA terms, unless you paid for the correct cert, your internal CA server is not a 'subordinate' CA for verisign. but as long as all your pc's going through nac have the domain root cert installed, it should avoid the SSL Cert warning you would otherwise get.</P></BODY></HTML> Wed, 17 Jun 2009 11:53:24 GMT https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284336#M826878 srue 2009-06-17T11:53:24Z https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284337#M826879 <HTML><HEAD></HEAD><BODY><P>Can you tell me how to do this ?</P></BODY></HTML> Wed, 17 Jun 2009 11:56:04 GMT https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284337#M826879 r.robins 2009-06-17T11:56:04Z https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284338#M826880 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-custom" href="http://technet.microsoft.com/en-us/library/cc780649" target="_blank">http://technet.microsoft.com/en-us/library/cc780649</A>(WS.10).aspx</P></BODY></HTML> Wed, 17 Jun 2009 12:46:39 GMT https://community.cisco.com/t5/network-security/nac-certicates-windows-2003-ca/m-p/1284338#M826880 srue 2009-06-17T12:46:39Z