Having issues getting certificate installed - Cisco ACS 5.2

billy_vaughn · ‎06-15-2011

I'm looking for help getting certs installed. Currently I'm using a self signed cert issued by ACS. We are having an issue where occasionally we see in our Windows 7 logs that Windows did not like the self signed cert from ACS when doing dot1x authentication for our Windows 7 clients. We are using the built in dot1x client that comes with Windows and have the "Validate Server Certificate" unchecked but still see this error occasionally. I've tried issuing a CSR from the ACS server and going to Thwate and getting a test cert but everytime I paste the CSR into the field at Thwate I get an error about invalid cert type. You have to choose from a list of server types. I've tried several different ones. I've also tried issuing the request from a WIndows server and when I try and import the files I get a invalid key error. Has anyone gotten a certificate working from Thwate or Verisign? Looking for some guidance in getting certs installed from a valid CA.

Thanks in advance.

Billy

andamani · ‎06-15-2011

Hi,

How did you generate the CSR?

Did you go to System Administration > Local Server Certificates > Local Certificates > Add > Generate Self Signed Certificate > Next > Enter the fields > Finish

Then copy the CSR from the System Administration > Local Server Certificates > Outstanding Signing Requests > Select the CSR and Click on export.

You should be able to get the server certificate from the Thwate Site. You can contact Thwate as well.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

billy_vaughn · ‎06-16-2011

Yes, I created the CSR exactly as your instructions.

I used the following when creating the CSR

Certificate Subject: CN=cisco-acs-pri.corp.rmic.com

Key Length: 2048

Digest to sign with: SHA1

Expiration TTL: 1 Year

I export the CSR and open in notepad and copy the text and paste it into the field on Thwate's website. It also asks what type of server you have. I have tried choosing Cisco, Apache, and others and I alwasy get an error saying invalid certificate type.

andamani · ‎06-16-2011

hey,

Can you check with Thwate support?

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

andrew.brazier · ‎06-17-2011

Have you tried an alternative SSL provider? I've used RapidSSL for certs on an ACS with no problems:

www.rapidssl.com

Also, there's a CSR validation tool at this website that you can check to see if your CSR is OK:

http://www.sslshopper.com/ssl-certificate-tools.html

billy_vaughn · ‎06-17-2011

I ended up getting it to work with some help from our Windows server admins. He generated the CSR from IIS7 and then I got the cert from Thwate and he finished the CSR in IIS7. He then had to do some conversions using open SSL to get the correct .pvk file needed with ACS. We used a base64 .cer file. It could possibly be something with Thwate as well. I'll be out of the office for the next week travelling but will give RapidSSL a try using ACS to generate the CSR just to see if it works.

Thanks

Billy

andrew.brazier · ‎06-21-2011

Good plan, you can get a free trial cert from RapidSSL which will let you test their certs before you buy.