Certificate Installation on ACS

First we will start with Root CA Certificate installation:

Login to Certificate server http://<ip or xyz>/certsrv

Click on “Download a CA Certificate, certificate chain or CRL

ACS1

Select the Encoding Method „Base 64“and click on Download CA certificate.

ACS2

ACS3

Save it to a location on our file system.

Now we have Root CA, it’s time to install Root CA on ACS.

Login to ACS, go to Users and Identity Stores > External Identity Stores > Certificate Authorities

Click on Add.

ACS4

Now Browse the Root CA, tick the check box “Trust for client with EAP-TLS” (Specially for EAP-TLS authentication) otherwise we will get error…example: 12514 (Failed SSL/TLS handshake)

Then click on Submit.

ACS5

Now we will Download /Install the ACS local server Certificate:

We must use these steps:

  1. Go to System Administration > Local Certificates, then click on Add
  2. Select Generate Certificate Signing Request:
  3. Fill the Certificate Subject name, Key length. Click Submit.

ACS6

Select third option “Generate Certificate Signing Request

ACS7

Click Next.

Enter the Certificate subject name.

Choose key length to 1024 or 4096 (Max value).

ACS8

Click Finish, this prompt will popup.

ACS9

Click OK. Now we can this signing request under Outstanding signing Request.

ACS10

Now Tick the request and click Export.

ACS11

Save it and open in notepad.

ACS12

Copy it

Login backup to certificate server and this time click on Request a Certificate.

ACS13

ACS14

ACS15

Paste the certificate signing request here (Which we opened in notepad)

**Select Web Server

ACS16

Download the Base 64 coded certificate. Click “Download certificate

ACS17

ACS18

Save it.

Now login again to ACS, select Bind CA signed Certificate

ACS19

Click Next, browse the Certificate here.

Also tick EAP and Management interface and click Submit.

ACS20

ACS21

Select OK and Click Finish.

Sometime we need to reboot ACS to complete the certificate installation.

That’s all About ACS certificate installation 🙂

Advertisements

Provisioning CA and Server Certificates on Cisco ISE

Provision both ISE nodes with the CA root certificate and their own individual server certificates
(generated by certificate signing requests).

Relevant documentation:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html

CA Certificate

  1. First, download the Root CA Certificate from your Certificate Authority
  2. http://<ca>/certsrv/
  3. Click “Download a CA certificate, certificate chain, or CRL

Download CA

 

DER Format

  1. Encoding method should be „DER
  2. Click “Download CA Certificate

Save File

Save it to a location on your file system.

  1. On ISE go to Administration > System > Certificates > Certificate Store. Click “Import
  2. Click Browse and locate the root CA Certificate.
  3. Tick “Trust for Client Authentication”. If you don’t you may see failures with “12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain” when using EAP-TLS
  4. Click “Submit”.

ISE Certificate

The CA Certificate will appear alongside the original self-signed certificate generated by ISE.

Certificate Store

If you have 2 or 3 ISE nodes then you must repeat these steps for Root CA.

 ISE Local Server Certificates

  1. On each node go to Administration > System > Certificates > Local Certificates
  2. Click Add > Generate Certificate Signing Request
  3. Fill in the CN with the ISE nodes FQDN and any other relevant fields. Click “Submit

ISE Local

  1. Go to Administration > System > Certificates > Certificate Signing Requests.
  2. Tick the request and click export.

ISE CSR

 

Open Notepad

  1. Save the request onto your computer and open it in notepad.
  2. On your Microsoft CA Server (//<ca>/certsrv/ ) go to Request Certificate > Advanced certificate request >
  3. Paste the contents of the CSR into the request field and select “Web Server” as the template.

Request a Certificate

Advanced Ceri Request

 

Renewl Request

  1. Click Submit
  2. Download the DER encoded certificate. Click “Download Certificate
  3. On ISE go to go to Administration > System > Certificates > Local Certificates
  4. Click “Add” > “Bind CA Certificate
  5. Select the certificate from your computer. Tick “EAP” and “Management Interface” and click “Submit

Bind CA

Bind CA Certificate

  1. ISE will need to reload to complete the certificate installation.
  2. Perform this task on all nodes in the deployment before joining them together.