Solved: Re: ACS server certificate from 3.3 to 4.2

sansarav720e · ‎03-03-2011

Hi All ,

We have enabled EAP-TLS authentication for our wireless LAN end user in our network setup , And we have defined certficate on our old acs server 3.3 from a third party CA . I want to use the same certifcate which is being used in 3.3 ,how i can copy that certficate from 3.3 and get it installed on new acs 4.2 . what all condition to be met

HTH Regards Santhosh Saravanan

Jagdeep Gambhir · ‎03-03-2011

Hi Santosh,

To export CA certificate from Windows version, do following :

Goto

[1] Start > Run > Type 'mmc' and hit enter.

[2] Click on Console > Add/Remove Snap-in...

[3] Click on Add > Certificate > Add > Computer Account > Next > Local Computer > Finish > Close > Ok

[4] Expand Certificates > Expand Trusted Root Certificate Authority and select Certificates

[5] Choose the ACS CA certificate, right click > All Tasks > Export > Next > Select 'Base-64 encoded X.509 (.CER)' > Next > Browse

Choose the location to store, and give it a name.
 Press Next > Finish

We should get a message 'export was successfull'

Then Goto CS ACS solution engine

System Configuration > ACS Certificate Setup > ACS Certificate Authority Setup > Click on 'Download CA certificate'

Provide with the reuired information

and uplaod the file by pressing 'Submit'

Then Restart the ACS.

And to use this certificate, goto

System Configuration > ACS Certificate Setup > Edit Certificate Trust List,

and check the ACS certificate being installed.

then click Submit.

Again Restart ACS.


Regards,
~JG

Do rate helpful posts

View solution in original post

andamani · ‎03-03-2011

Hi,

A simple upgrade from ACS 3.3 to ACS 4.2 with keeping the existing database should do the trick.

I assume this is ACS on windows.

Hope this helps.

Regards,

Anisha.

P.S.: Please mark this thread as answered if you feek your query is resolved. Do rate helpful posts.

sansarav720e · ‎03-03-2011

Hi Anisha ,

For ACS 4.2.1.15 we are using new cisco acs appliance 1120 and existing ACS 3.3 server is running on window box as u said , We dont want to upgrade existing ACS 3.3 to 4.2. I need to copy CA certficate from that ACS 3.3 to ACS 4.2

Is CA certficate has also got dependancy in ACS version .

HTH Regards Santhosh Saravanan

Jagdeep Gambhir · ‎03-03-2011

Hi Santosh,

To export CA certificate from Windows version, do following :

Goto

[1] Start > Run > Type 'mmc' and hit enter.

[2] Click on Console > Add/Remove Snap-in...

[3] Click on Add > Certificate > Add > Computer Account > Next > Local Computer > Finish > Close > Ok

[4] Expand Certificates > Expand Trusted Root Certificate Authority and select Certificates

[5] Choose the ACS CA certificate, right click > All Tasks > Export > Next > Select 'Base-64 encoded X.509 (.CER)' > Next > Browse

Choose the location to store, and give it a name.
 Press Next > Finish

We should get a message 'export was successfull'

Then Goto CS ACS solution engine

System Configuration > ACS Certificate Setup > ACS Certificate Authority Setup > Click on 'Download CA certificate'

Provide with the reuired information

and uplaod the file by pressing 'Submit'

Then Restart the ACS.

And to use this certificate, goto

System Configuration > ACS Certificate Setup > Edit Certificate Trust List,

and check the ACS certificate being installed.

then click Submit.

Again Restart ACS.


Regards,
~JG

Do rate helpful posts

sansarav720e · ‎03-03-2011

Hi Jagdeep ,

Thanx for your postings , I will follow this on exporting my certficates from old acs 3.3 , I have samll queris whether 3 party CA certficates is minted based on Hostname by the vendor , So that when we use it on another machine it should have same hostname as the old one . Is there any condition like that ?? . kindly suggest me , Thank you

3rd party vendor is geotrust

HTH Regards Santhosh Saravanan

Jagdeep Gambhir · ‎03-04-2011

Hi Santosh,

CA cert does not have any host name ( i.e. "issued by" and "issued to" are same, Geo trust in your case). Its the server cert that have host name in "issued to " section.

Server cert will have

Issued to = Host name

Issued by= GeoTrust

CA cert will have

Issued to = GeoTrust

Issued by=GeoTrust

Host name does not matter ( in server cert) as along as it is installed with the private key.

Regards,

~JG

Do rate helpful posts

sansarav720e · ‎03-06-2011

HI Jagdeep ,

I have tried using MMC (microsoft management console ) to extract certficate from windows box which is running ACS 3.3 . Whn i opened MMC console clicked add/remove snap in , but i am seeing only blank list on add on list . Is that any function to be availed from MMC should be turned on using gepdit.msc , Please suggest me , Thank you

HTH Regards Santhosh Saravanan

andamani · ‎03-07-2011

Hi Santosh,

Please click on the ADD button after you get th edialog box of Add/remove snap-in.. then you will get another dialog box from where you can select the Certificate item.

Hope this helps.

Regards,

Anisha

-do rate helpful posts.