Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS 4.2 Generate self-signed Certificate

Hello Community,

i want to authentificate my Clients with certificates.

I want to create an self-signed Certificate von my ACS 4.2.

When u create an self-signed Certificate, there are 3 Files:

Certificate File:

Private key file:

Private key password:

After creating , i take this certificate and go to my Windows XP Client install it and enable 802.1x authentification : is this right ?

How can i implement this self-signed certificate to my domain ?

How do clients handle the private key ?

iam also got thinclients where i can use certificates, but i dont know how to use the private key.


Tarik Admani


This is not the proper way, the self signed cert is for this acs only. You will need to deploy a windows ca, and use the auto enrollment feature so that all domain machines will receive a cert. Next you will have to generate a certificate signing request on your acs and submit this to your CA. After your receive your signed certificate, you will install this on the acs. Finally you will have to configure all your clients to use eap tls to authenticate to the network.


Sent from Cisco Technical Support iPad App

hello Tarik,

thank u for your fast answer.

But is that possible that the clients use the self signed certificate ?



You can use the self signed certificate on your clients. The one that you will download from ACS is actually the root CA certificate and you need to install it on the clients. When you choose the trusted root certificate for your EAP method (say PEAP) you choose this CA certificate to be used. (or you can configure to trust whatever available CA root certificate. it depends on the supplicant that you use).

You don't need to do anything with the private key at this point. Just install the certificate (root CA cert) on your clients so they trust the self signed certificate generated on the ACS.

see the answer in this post:



Rating useful replies is more useful than saying "Thank you"


The ACS self signed certificate means that there isnt a root certificate in this setup.


If you are trying to use eap-tls to authenticate your clients, then you will have to follow the steps above.


Tarik Admani
*Please rate helpful posts*

Tarik: you can generate self-signed cert and use the generated certificate as a root certificate on clients. Otherwise, what is the point of generating self-signed certificate if you can not implement PWAP auth (for example)?

I am using self signed cert in my setup and it is working perfectly with the way I explained.



Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

You are correct but Sebastian was asking for client authentication.

The only purpose of installing the acs ssc is so it will trust the radius server for authentication, and not prompt the user to trust the cert. it's better to not validate the cert in these conditions, but that is my opinion.


Sent from Cisco Technical Support iPad App

Exactly Tarik.

I supposed he is using PEAP not EAP-TLS.

If he is using EAP-TLS then you are absolutely right and a cert from a trusted CA is needed.

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"


The first line sates that he would to authenticate his clients with certificates, that means eap-tls.


Sent from Cisco Technical Support iPad App

Hi Guys,

Pls help me.

Requirement:  Only laptop/desktop which are registered with domain should connect to specific SSID. 

As i seen some document they are telling to generate CA root certificate and then to try.

can i know how can i generate CA root certificate from ACS server.



Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube