Cisco Systems OL-24201-01 Camera Accessories User Manual


 
B-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-TLS
Fixed Management Certificates
ACS generates and uses self-signed certificates to identify various management protocols such as the
Web browser, HTTPS, ActiveMQ SSH, and SFTP.
Self-signed certificates are generated when ACS is installed and are maintained locally in files outside
of the ACS database. You cannot modify or export these certificates. You can, however, assign imported
certificates to management interfaces.
Importing Trust Certificates
ACS supports PEM or DER formatted X509 certificate files. You can add a trust certificate to the trust
certificate store. ACS verifies that an imported certificate complies with the X509 format and does not
perform any hierarchical certificate signature verification. ACS also supports the Microsoft proprietary
private key format.
You can mark the acquired certificate for immediate trust for TLS related EAP protocols as the EAP
CTL. The trust certificate store does not allow for duplicate trust certificates. These are the rules for
rejecting certificates:
Two certificates cannot have the same subject.
Two certificates cannot have the same issuer and the same serial-number.
Acquiring Local Certificates
This topic describes the methods for ACS to acquire PKI credentials, and the ways that you can sets the
public or private keys pairs to each ACS server in the ACS domain.
An X509 certificate contains the credentials which include the public key, and a PKCS#12 [?10.1] that
holds the private key protected with a password that goes with it.
The ACS domain may have more than a single ACS server; each domain should have its own set of PKI
key pairs to identify itself through the appropriate interfaces.
Some interfaces may require that the certificate that identifies ACS, contain the IP or FQDN of the ACS
server, in its Common Name (CN) for better binding of the certificate to the IP of the server, for example,
the HTTPS ACS server certificate which is used for the Web interface.
For other interfaces, it may be possible to use a common certificate that can be shared between the
servers, however, Cisco does not recommend that you use a common certificate. Each ACS PKI
credentials may be obtained either from a self-signed certificate or a certificate signed by a common
certificate authority (CA).
For protocols that require the ACS identification, clients should be deployed with at least the lowest
common certificate that dominates all the ACS servers certificates that are used to identify each ACS.
You can pick the PKI policy to be used in your organization and configure the PKI credentials for the
ACS domain.
The configured certificate with its private-key should not be used outside the ACS machine
Related Topics
Importing the ACS Server Certificate, page B-10
Initial Self-Signed Certificate Generation, page B-10
Certificate Generation, page B-10