cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1142
Views
13
Helpful
8
Replies
Adam Swindell
Beginner

ACS 5.2 - PEAP certificate question.

I have a question about how the certificates work when using PEAP on ACS 5.2.

But first let me explain the current set up so the question makes more sense.

Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default).

On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...

So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server.

Everything works great right now.

Now here is my question.

                 

The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed?

From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay…

Let me know if this is not the case and if I am a very confused person.

Thanks.

PKI makes my head spin.

8 REPLIES 8
Ravi Singh
Rising star


I would like to suggest you to go through the below link. It will help to make you understand about configuration and working of certificate.

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bd1100.shtml
http://www.cisco.com/image/gif/paws/113670/eap-authentication-00.pdf

Thanks for the reply.

I've read these docs in the past.

My question isn't so much about how to configure EAP/PEAP/EAP-FAST, but more to do with the behavior of certificates in general I guess.

Basically when I go to renew (or get a new) signed cert from GoDaddy (in this case), will new root and intermediate certs need to be installed on all the clients (in this case Cisco wireless IP phones)? Or will the current ones still be enough to trust the new signed cert? (assuming it is signed by the same CA (which it will be)).

The phones can't automatically go out and download all the root certs from major CAs (like Windows does via Windows updates etc...) so they need to be manually installed....one phone at a time (at least that is the only way I have ever found how to do it).

Adam,

To answer your question:

Basically when I go to renew (or get a new) signed cert from GoDaddy (in  this case), will new root and intermediate certs need to be installed  on all the clients (in this case Cisco wireless IP phones)? Or will the  current ones still be enough to trust the new signed cert? (assuming it  is signed by the same CA (which it will be)).

CAs like GoDaddy, Verisign , etc. constantly change the chain of intermediates and even roots.

To ensure that we are always insync, you have take care that all the intermediates and root CAs are in the client trusted store. Just to be sure.

Yes, this is manual

I am not sure if there a software to push certificates at once to all phones.

Do rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

CAs like GoDaddy, Verisign , etc. constantly change the chain of intermediates and even roots.

Edward: what do you exactly mean by the above?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

In olden days, there was this just one CA and then the certificate to be signed..

Nowadays, due to demand in the Certificate implementations, CA Authorites have started using intermediates.

Not just one, but even two intermediates in the certificates, for eg:

Olden days:

MyCAAuthority-->Signed-->MyIdentityCert

Nowadays:

MyCAAuthority-->Signed-->MySUBCA1-->Signed-->MySUBCA2-->Signed-->MyIdentityCert.

I hope this helps.

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

So basically what this boils down to is...when we get new signed certs for the ACS servers. The phones are all going to need new root certs, and new intermediate certs installed? *sigh*

I don't suppose if anyone knows if Cisco will be adding the ability to push certs out to phones via TFTP or something?Wishful thinking.

Adam,

Most probably, Yes.

If the CA guys have not changed much on their end, you might just be able to work your way around by using the old ones, but I doubt it.

I tried asking around in the voice team for cert upload options but could not get any answer.

You can maybe post in the voice section to get a list of possible ways.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Hi Adam,

I found something on your requirement:

Auto-enrollment comes from the Cisco Unified Communication Manager (CUCM).

The CA Proxy Functionality (CAPF) of CUCM is capable of auto-enrolling certificates for Cisco IP

phones that need to perform 802.1X.

You can check with Cisco TAC (Voice) or the Voice section on CSC.

Hope this helps

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Content for Community-Ad