Hi Noel,
Please see my answers inline:
option A:
so what you trying to say is after create the self-signed certificate, then manually copy the certificate and install on the client's OS? (am i rite)
[A] Correct, if you want your clients to trust the ACS self-signed certificate.
option B:
Is there any other way round i can let the ACS express generate CSR? so i can use this CSR and let the CA server signed and installed again on ACS express? (i have the CA server with me..)
[A] ACS Express has no way toi generate a CSR, so you could proceed with the following (on a Microsoft CA for example):
1. Request the Cert (Generate the CSR) via a browser.
On a PC with web browser, connect to Cert Server to request a cert for ACS Express (replace the CAServer with the specific host running the Cert Server)
* Do it this way so that you can export the cert
* IE to URL http://CAServer/CertSrv
* Login with admin account on AD Domain
* Check Request a certificate
* Select Advanced Request
* Select Submit a certificate Request to this CA
* Select Web Server template
* In Name (of the cert), give something unique to your ACS
* In CSP, default of MS Base Crypto Provider 1.0 is fine
* Key Usage could leave as Both or "Exchange"
* Key Size should be 1024
* Check "Create new key"
* Check "Set the container name" and put in something unique to your ACS Express
* Leave uncheck "Enable strong private key protection"
* Check "Mark keys as exportable" '''Leave Export keys to file uncheck'''
* Check "Use local machine store"
* Submit the request.
2. Copying the Cert from Windows Cert Server (after the Cert is available)
* Use MMC to find the cert and Export it.
* If you cannot find it in MMC the cert can always be located on the CA, under "Issued Certificates", on Details tab, click "Copy to File" to export the cert.
* Select to export the private key (since ACS will ask for the private key file)
* Use OpenSSL to convert .pfx/.pvk to .pem
* Win32 OpenSSL can be download from http://gnuwin32.sourceforge.net/packages/openssl.htm
* openssl pkcs12 -in c:\privateKeyFileName.pfx -out c:\privateKeyFileName.pem -nodes
* The cert files are now ready for upload to ACS Express
3. On ACS Express: Install/Upload Cert via the browser
* Connect to ACS Express via a browser
* Install certificate with "Install ACS Certificate",
* Give the CA name for the cert to install (instead of cer file)
* You can directly use the .pem file generated above for keyfile, ACS Express will know how to parse the private key and ignore the other parts
* Point ACS to the CA in "ACS CA Setup" and provide the name
* Update Trust List
option C:
to back your statement "you'd then need either not to validate any server certificate, or to import the ACS self-signed certificate as a root CA certificate to trust the ACS self-signed certificate.."
, is it i should adviec to do this action as showing on this doc? http://www.utoledo.edu/it/NS/pdfs/Vista%20Wireless%20(PEAP).pdf
[A] Yes, to avoid validating the server certificate, on page 6 of this PDF you should not check the option "validate server certificate".
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
