Introduction
This document describes how to configure and install exportable certificate from Microsoft Windows 2003 software using CSR from Cisco Secure Access Control Server (ACS) 5.1 for Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2.
ACS 5.1 Certificate Setup
Configure Exportable Certificate for ACS
Note: The ACS server must obtain a server certificate from the enterprise root CA server in order to authenticate a WLAN PEAP client.
Note: Make sure that the IIS Manager is not open during the certificate setup process as causes problems with cached information.
- Log in to the ACS server with an account Admin rights.
- Go to System Administration > Configuration > Local Server Certificates. Click Add.
When you choose a server certificate creation method, choose Generate Certificate Signing Request. Click Next
Enter a certificate subject and key length as the example, then click Finish:
- Certificate Subject - CN=acs.demo.local
- Key Length - 1024
ACS will prompt that a certificate signing request has been generated. Click OK.
Under System Administration, go to Configuration > Local Server Certificates > Outstanding Signing Requests.
Note: The reason for this step is that Windows 2003 does not allow for exportable keys and you need to generate a certificate request based on the ACS Certificate that you created earlier that does.
Choose the Certificate Signing Request entry, and click Export.
Save the ACS certificate .pem file to the desktop.
Install the Certificate in ACS 5.1 Software
Perform these steps:
- Open a browser and connect to CA server URL http://10.0.10.10/certsrv.
The Microsoft Certificate Services window appears. Choose Request a certificate.
Click to submit an advanced certificate request.
In the advanced request, click Submit a certificate request using a base-64-encoded
In the Saved Request field, if browser security permits, browse to the previous ACS certificate request file and insert.
The browser’s security settings may not allow accessing the file on a disk. If so, click OK to perform a manual paste.
Locate the ACS *.pem file from the previous ACS export. Open the file using a text editor (for example, Notepad).
Highlight the entire content of the file, and click Copy.
Return to the Microsoft certificate request window. Paste the copied content into the Saved Request field.
Choose ACS as the Certificate Template, and click Submit.
Once the Certificate is Issued, choose Base 64 encoded, and click Download certificate.
Click Save in order to save the certificate to the desktop.
Go to ACS > System Administration > Configuration > Local Server Certificates. Choose Bind CA Signed Certificate, and click Next.
Click Browse, and locate the saved certificate.
Choose the ACS certificate that was issued by the CA server, and click Open.
Also, check the Protocol box for EAP, and click Finish.
The CA-issued ACS certificate will appear in the ACS local certificate.