Cisco Systems OL-24201-01 Camera Accessories User Manual


 
B-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-TLS
There are two types of certificate generation:
Self signing certificate generation — ACS supports generation of an X.509 certificate and a
PKCS#12 private key. The passphrase used to encrypt the private key in the PKCS#12 automatically
generates stronger passwords, and the private key is hidden in the local certificate store.
You can select the newly generated certificate for immediate use for HTTPS Management protocol,
for TLS-related EAP protocols, or both.
Certificate request generation—ACS supports generation of a PKCS#10 certificate request with a
PKCS#12 private key. The request is downloaded through the Web interface and should be formatted
with PEM representation with a REQ extension.
The passphrase used to encrypt the private key in the PKCS#12 automatically generates stronger
passwords, and the private-key is hidden in the ACS database. You can download the request file to
be signed offline by the RA.
After the RA signs the request, you can install the returned signed certificate on ACS and bind the
certificate with its corresponding private key. The binding of certificate and its private key is
automatic.
After binding the signed certificate with the private key, you can mark this certificate for immediate
use for HTTPS Management protocol, for TLS-related EAP protocols, or both.
Related Topics
Configuring CA Certificates, page 8-68
Configuring Certificate Authentication Profiles, page 8-72
EAP-TLS Flow in ACS 5.3, page B-13
Exporting Credentials
You can export a general trust certificates, an ACS server certificate with or without private keys, and
previously generated certificates requests from the certificate stores. You cannot export the request for
a private-key. You can download certificates file with a .CER extension. The file format is not changed
from the format that is imported into ACS.
You can download the public certificate as a regular certificate with .CER extension for ACS server
certificates, that also contain a private key. The file format is retained.
You can export a public request to re-issue a certificate request to an RA, for certificate-requests. The
request is downloaded with an REQ extension and is formatted identically to the format that it was
generated by.
Only administrators with the highest administrator privileges can export the certificate private key and
its password. A warning about the security implications of such an action is conveyed twice, to approve
the export operation.
After this double check, the private-key files can be downloaded as a .PVK extension, and the private-key
password can be downloaded as a .PWD extension. The private-key file format is retained.