Filter
Top Products
8-69
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Configuring CA Certificates
You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the
X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the
means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs).
Digital certificates do not require the sharing of secrets or stored database credentials. They can be
scaled and trusted over large deployments. If managed properly, they can serve as a method of
authentication that is stronger and more secure than shared secret systems.
Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This
server certificate may be issued from a CA or, if you choose, may be a self-signed certificate. For more
information, see Configuring Local Server Certificates, page 18-14.
Note ACS builds a certificate chain with the CA certificates that you add to it and uses this chain during TLS
negotiations. You must add the certificate that signed the server certificate to the CA. You must ensure
that the chain is signed correctly and that all the certificates are valid.
If the server certificate and the CA that signed the server certificate are installed on ACS, ACS sends the
full certificate chain to the client.
Related Topics
• Adding a Certificate Authority, page 8-69
• Editing a Certificate Authority and Configuring Certificate Revocation Lists, page 8-70
• Deleting a Certificate Authority, page 8-71
• Exporting a Certificate Authority, page 8-72
Adding a Certificate Authority
The supported certificate formats are DER, PEM, or CER.
To add a trusted CA (Certificate Authority) certificate:
Step 1 Select Users and Identity Stores > Certificate Authorities.
The Trust Certificate page appears.
Step 2 Click Add.
Step 3 Complete the fields in the Certificate File to Import page as described in Table 8-19:
Table 8-19 Certificate Authority Properties Page
Option Description
Certificate File to Import
Certificate File Enter the name of the certificate file. Click Browse to navigate to the location on the
client machine where the trust certificate is located.
Trust for client with EAP-TLS Check this box so that ACS will use the certificate trust list for the EAP protocol.
Allow Duplicate Certificates Allows you to add certificates with the same CN and SKI with different Valid From, Valid
To, and Serial numbers.
Description Enter a description of the CA certificate.