Installing SSL certificate on Cisco ACS Server II

Way back on October the 17th, 2011, we talked about installing a SSL certificate on Cisco ACS 4.x version. Now it’s time to do the same on version 5.x. We have upgraded by now, haven’t we Smile

To recap from this previous blog: we would want a trusted certificate installed on our ACS 5.x for the sake of getting rid of that annoying warning message when accessing the ACS for management purposes, or/and we have to have a trusted certificate for EAP-TLS sessions, for example.

We already have a PKI infrastructure in place and ACS 5.x server installed. Now we log in and see this warning message:

image

It’s not just annoying, but it is considered a security risk. We should not just click a “Continue to this website (not recommended).”, because it says – not recommended Smile

For now we have to click it and log into ACS.

First, we have to install one or more trusted CA certificates. How many of them, depends on PKI infrastructure in place. Mine have two tiers, a root CA and an issuing CA, so I will have to go to my CA server, download and save the root CA certificate and issuing CA certificate. These can be downloaded from:

https: //nbissca01.popravak.com/certsrv

and choosing “Download a CA certificate, certificate chain, or CRL” link. The “nbissca01” is my issuing CA server.

On the ACS navigate to “Users and Identity Stores->Certificate Authorities” and then on the right hand side click the “Add” button. First we browse for the root CA certificate and click “Submit”:

image

Then we do the same for the issuing CA certificate:

image

And we should have result that is similar to this:

image

We are now ready to generate a certificate signing request or a CSR. We navigate to “System Administration->Configuration->Local Server Certificates->Local Certificates” and click “Add”. From options given to us, we choose “Generate Certificate Signing Request” and click “Next”:

SNAGHTML52b07f6

Then we need to fill in a certificate subject and select the key length and hashing algorithm. The certificate subject could be something like:

CN=acs.popravak.com,O=Popravak Inc,OU=IT,L=Bijeljina,S=RS,C=BA

The important thing here is that we must match the CN field (in this case – acs.popravak.com) with the real hostname that we use to browse to the ACS. Otherwise we will still receive that warning from the beginning of this blog. This is what we will use for this demo:

image

We should consult our PKI admin to verify if our CA supports this key length and hashing algorithm. Then we click “Finish”. A popup appears:

image

As it says, under the “Outstanding Signing Requests”, we should see our CSR:

image

We need to select this CSR, click “Export” and save it to a file on our disk. By default the file name is “Certificate_Signing_Request1.pem”. This is ok. We now open this file. It’s just a text file that looks like this:

—–BEGIN CERTIFICATE REQUEST—–
MIIDCjCCAfICAQAwYDEMMAoGA1UEAxMDYWNzMRUwEwYDVQQKEwxQb3ByYXZhayBJ

<lines omitted>

7ROAB2cCWBRS3hL2CAnWinTyZ11pYtEpz1fF71aUoNoXLbpL0BkBrBXGczYopIME
lDwcGidVFgiYew9JYuQ=
—–END CERTIFICATE REQUEST—–

Now it is time to go “https://nbissca01.popravak.com/certsrv” again and this time we choose “Request a certificate” and then this long option

“Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”

In the “Saved Request” field we paste the “Certificate_Signing_Request1.pem” file content and select appropriate certificate template. Once again we may need to ask our CA admin for help:

image

When we click “Submit”, our CA server will issue a certificate automatically or place a request under the pending status, which means that our CA admin needs to verify the request and issue a certificate. In either case the final result will be a server certificate that we need to download and save to our PC. In my case, I have appropriate rights to request this type of certificate and one is issued automatically for me:

image

Now let’s go back to our ACS server. Under “System Administration->Configuration->Local Server Certificates->Local Certificates” we click “Add” and select “Bind CA Signed Certificate” and click “Next”:

image

We browse for the saved server certificate. If we are going to use this certificate for management purposes or EAP authentication, we select appropriate options. For now, we are just use this certificate for admin sessions:

image

We click finish, and wait for ACS services to restart:

image

We will be logged out and after we log back in, we no longer receive that warning message! Please note that ACS could need some time to restart services.

That’s it!

Thanks for reading!

Advertisements
This entry was posted in ACS 5.x, ACS/RADIUS/TACACS, Certificates, Cisco, PKI and tagged , , , , , , . Bookmark the permalink.

3 Responses to Installing SSL certificate on Cisco ACS Server II

  1. Pingback: Cisco ACS 5.x – setting up a replication | popravak

  2. Pingback: Installing Custom Certificate on FireSight Defense Center | popravak

  3. Great guide, we are switching from a private PKI to a public PKi infrastructure. Can any one tell me if we need to add the new public CA servers before we can request the CSR?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s