Installing SSL certificate on Cisco ACS Server

Perhaps you found yourself in the position when you wanted to use HTTPS for accessing your ACS server. Or maybe you needed to set it up for some kind of EAP authentication method like EAP-TLS or EAP-PEAP for your wireless or 802.1x clients. If so, the very first thing you want to do is installing SSL certificate on ACS server. Read on!

The first step is obtaining the CA certificate. If using Microsoft CA, this can be done via the URL: http://CAServerNameOrIP/certsrv. Select the task: Download a CA certificate, certificate chain, or CRL and then Download CA certificate. I prefer Base64 format, although DER can (or can’t???) be used. Let’s save it using CA_CERT.cer as the filename.

Now we open ACS interface. Select System Configuration, ACS Certificate Setup, ACS Certification Authority Setup. Under the CA certificate file we type in C:\CERTS\CA_CERT.cer (if C:\CERTS is the folder where we saved the CA certificate).

This yields the warning message:

in the left hand side, and the:

in the right hand side.

We will do the restart later on.

Now go back using Cancel button and select Generate Certificate Signing Request. Fill in the form as depicted in the picture:

Under the Certificate subject we should type something like:

CN=selver.popravak.com,O=Popravak Inc,OU=IT,L=Bijeljina,S=RS,C=BA

After submitting the request, in the right hand side we should see Base64 coded certificate request. It is in the form of:

—–BEGIN CERTIFICATE REQUEST—– MIIDDjCCAfYCAQAwZDEPMA0GA1UEAxMGcmFjYWNzMRYwFAYDVQQKEw1Ob3ZhIGJh
… lines omitted…
vQWupNShemW58npZlLob7LkW
—–END CERTIFICATE REQUEST—–

Now select this request starting with —–BEGIN CERTIFICATE REQUEST—–
and anding with —–END CERTIFICATE REQUEST—–

It is now the time to request the certificate from our CA. Again, go to http://CAServerNameOrIP/certsrv, select Request a certificate, Advanced Certificate Request, Submit a certificate request by using a base-64 encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file.

Under the Saved Request paste copied certificate request and as Certificate Template select Web Server. You should be here:

Click Submit. You should (I hope) see Certificate Issued message and the opportunity to download it. Select Base-64 encoded option and save the certificate. Let’s save it as C:\CERTS\SELVER.cer.

Go back in the ACS gui. Click cancel to go back to ACS Certificate Setup page. Select Install ACS Certificate. You should fill in the form as depicted:

Private key file and password are those specified in the Generate new request form. Click Submit. Now you should see:

Finally, go to System Configuration, Service Control and restart required services. Now you should be able to use this certificate for HTTPS login or some authentication method such as EAP-TLS or PEAP.

First thing you may want to do is to access ACS server using HTTPS instead of HTTP. You have the cert, right? That’s easy! Go to Administration Control, Access Policy and on the very bottom of the page you need to ckeck „Use HTTPS Transport for Administration Access” under the Secure Socket Layer Setup:

Now you may access your ACS server by: https://selver.popravak.com:2002/.

You may also access it by https://selver:2002 or https://10.77.2.254:2002 if this is its address, but you will receive a warning because the Common Name is CN=selver.popravak.com. If and only if you access the server by this URL you won’t get this warning.

Hope this helped!

So, until the next time…

Advertisements
This entry was posted in ACS/RADIUS/TACACS, Certificates, Cisco and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s