Filter
Top Products
43-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 43 Managing IPS Sensors
Managing IPS Certificates
Managing IPS Certificates
When you configure Security Manager to use SSL (HTTPS) to communicate with your IPS devices, the
certificate configured on the device must match the certificate stored in Security Manager’s certificate
store. Mismatched certificates will result in communication failures during policy discovery or
deployment.
IPS devices use self-signed certificates that have a fixed validity period of about 2 years. When the
certificate expires, you need to regenerate the certificate and update the certificate store with the new
certificate.
Security Manager includes a utility that you can use to synchronize the certificate store with the
certificate defined on the device, to regenerate expired certificates, and to view the status of certificates
(including expiration dates) on the IPS devices that you manage.
Tip If you are using HTTP for communication with the IPS devices, certificates are not used and you cannot
manage them. IPS device communication settings are configured in the Security Manager
Administration Device Communication page (see Device Communication Page, page 11-16).
The following procedure explains how to manage your IPS certificates with Security Manager.
Related Topics
• Table Columns and Column Heading Features, page 1-46
• Filtering Tables, page 1-45
• Manually Adding SSL Certificates for Devices that Use HTTPS Communications, page 9-4
• Security Certificate Rejected When Discovering Device, page 9-6
• Invalid Certificate Error During Device Discovery, page 9-6
Step 1 Select Manage > IPS > IPS Certificates to open the IPS Certificates dialog box.
Tip The list shown in this dialog box is not automatically refreshed. Click Refresh whenever you
open the dialog box to ensure that you are looking at the most current certificate expiration
information.
The dialog box lists all IPS sensors that are in the inventory according to their Security Manager display
name. Not all columns are displayed (right-click any cell heading to select additional columns). The
main columns of interest are the following:
• Certificate Mismatch?—Whether the certificate defined on the device is the same as that in
Security Manager. This field is blank if the certificate is unavailable or non-retrievable; otherwise,
it can have these values:
–
No—The device and Security Manager have the same certificate. No action is required.
–
Yes—The device and Security Manager have different certificates. If the certificate has not
expired, select the device and click Sync Certificates to replace the certificate in the Security
Manager certificate store with the certificate from the device.
• Valid Until on Device, Valid From on Device—These two separate columns show the date range
within which the certificate is valid. The certificate expires after the Valid Until date is reached.
Consider regenerating the certificate as this date approaches.