cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
784
Views
0
Helpful
7
Replies

****NAC Certificate Problems***

gabrielbryson
Level 1
Level 1

There is a default Perfigo root CA certificate that comes with the installation of NAC, I have now purchased a valid Verisign CA cert, when i import the root CA into trusted CA's its accepted, however when generate a cert request and get it back from the CA and i try import the NAS/NAM approved web server cert i get a error, cannot validate cert. I then try to delete the Perfigo default cert and it will not, it reports that it is in use??? Any ideas how to delete the perfigo temp certificate????

7 Replies 7

Daniel Laden
Level 4
Level 4

What is the exact error message. Are you trying to install the same certificate on the NAM and NAS.

Manage CAM SSL Certificates

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_admin.html#wp1078189

I thought i saved a copy of the error, but did not, I dont have access to the appliances at the mo to recreate the error.

I am not installing the same cert on the NAM and NAS, i have purchased a separate cert for each.

I think my biggest problem is that it will not let me delete the perfigo cert.

One thing I noticed is that in the online guide, in the list of root certs there are plenty of entries, on my (v4.5) there is only the perfigo ca?? is that correct.

srue
Level 7
Level 7

generate a temp cert locally on the appliance using all of the correct information - if using HA, use the shared/service IP.

Export the CSR (cert signing request). Use this to request the cert for verisign.

Import the 3rd party cert back into each appropriate appliance.

Make sure you click the "install and verify" newly uploaded certs button if necessary.

Uploading a new/correct cert should overwrite the perfigo self-generated cert, but not the perfigo root.

If you are using self-gen certs on any appliance, i would recommend not removing the perfigo root cert.

btw, you will need to manually upload/install the verisign root cert to each appliance.

Thanks, I have done all of that? If i can racall the error message, when i try install the approved web server cert, is relating to verification, (version4.5) does not have the verification button anymore? Would it be possible that the NAM and NAS have to have internet access to verify root CA???

The NAC Server do not contact anyone to validate the certificate. Did you load the root certificate before the CA-signed certificate.

Starting with 4.5, perfigo is the only install CA root. If it has been an upgrade to 4.5, all the legacy CA roots would be listed as well.

Yes I did install the root CA cert first, I will have access to the appliances again tomorrow, and will try the process again from scratch...

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: