Way back on October the 17th, 2011, we talked about installing a SSL certificate on Cisco ACS 4.x version. Now it’s time to do the same on version 5.x. We have upgraded by now, haven’t we
To recap from this previous blog: we would want a trusted certificate installed on our ACS 5.x for the sake of getting rid of that annoying warning message when accessing the ACS for management purposes, or/and we have to have a trusted certificate for EAP-TLS sessions, for example.
We already have a PKI infrastructure in place and ACS 5.x server installed. Now we log in and see this warning message:
It’s not just annoying, but it is considered a security risk. We should not just click a “Continue to this website (not recommended).”, because it says – not recommended
For now we have to click it and log into ACS.
First, we have to install one or more trusted CA certificates. How many of them, depends on PKI infrastructure in place. Mine have two tiers, a root CA and an issuing CA, so I will have to go to my CA server, download and save the root CA certificate and issuing CA certificate. These can be downloaded from:
and choosing “Download a CA certificate, certificate chain, or CRL” link. The “nbissca01” is my issuing CA server.
On the ACS navigate to “Users and Identity Stores->Certificate Authorities” and then on the right hand side click the “Add” button. First we browse for the root CA certificate and click “Submit”:
Then we do the same for the issuing CA certificate:
And we should have result that is similar to this:
We are now ready to generate a certificate signing request or a CSR. We navigate to “System Administration->Configuration->Local Server Certificates->Local Certificates” and click “Add”. From options given to us, we choose “Generate Certificate Signing Request” and click “Next”:
Then we need to fill in a certificate subject and select the key length and hashing algorithm. The certificate subject could be something like:
The important thing here is that we must match the CN field (in this case – acs.popravak.com) with the real hostname that we use to browse to the ACS. Otherwise we will still receive that warning from the beginning of this blog. This is what we will use for this demo:
We should consult our PKI admin to verify if our CA supports this key length and hashing algorithm. Then we click “Finish”. A popup appears:
As it says, under the “Outstanding Signing Requests”, we should see our CSR:
We need to select this CSR, click “Export” and save it to a file on our disk. By default the file name is “Certificate_Signing_Request1.pem”. This is ok. We now open this file. It’s just a text file that looks like this:
—–BEGIN CERTIFICATE REQUEST—–
—–END CERTIFICATE REQUEST—–
Now it is time to go “https://nbissca01.popravak.com/certsrv” again and this time we choose “Request a certificate” and then this long option
“Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
In the “Saved Request” field we paste the “Certificate_Signing_Request1.pem” file content and select appropriate certificate template. Once again we may need to ask our CA admin for help:
When we click “Submit”, our CA server will issue a certificate automatically or place a request under the pending status, which means that our CA admin needs to verify the request and issue a certificate. In either case the final result will be a server certificate that we need to download and save to our PC. In my case, I have appropriate rights to request this type of certificate and one is issued automatically for me:
Now let’s go back to our ACS server. Under “System Administration->Configuration->Local Server Certificates->Local Certificates” we click “Add” and select “Bind CA Signed Certificate” and click “Next”:
We browse for the saved server certificate. If we are going to use this certificate for management purposes or EAP authentication, we select appropriate options. For now, we are just use this certificate for admin sessions:
We click finish, and wait for ACS services to restart:
We will be logged out and after we log back in, we no longer receive that warning message! Please note that ACS could need some time to restart services.
Thanks for reading!