In this blog post, i would cover steps you need to setup an Enterprise Certificate Authority (CA) & in subsequent posts, i would demonstrate how to install an Enterprise CA issued Identity Certificate on Cisco Secure ACS 5.X Server . I would also walk-through a scenario with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) authentication setup for a Client.

As you might already know , Cisco Secure ACS 5.X already has a Self-Signed certificate (created during installation phase) . However, it can only be used for managing ACS via an administrative session (using HTTPS). This Self-Signed certificate cannot be used for any other purpose e.g EAP-TLS authentication etc. For this purpose, you require an External Certificate Authority to issue a certificate to an ACS Server 5.x . This post will show you how to setup an Certificate Authority (CA) on a Windows 2008 R2 Server. In next post, i would show how to generate a Certificate Signing Request (CSR) from ACS Server 5.X ,using CA to issue certificate & importing that certificate to Cisco Secure ACS 5.x & using it in EAP-TLS authentication scenario. More scenarios are covered in underlying Cisco Secure ACS 5.X Scenario based deployment Guide

 

Let’s first setup a Certificate Authority on a Windows 2008 R2 Server . Follow these steps : (Click on an Image to enlarge it )

  • First, start the Server Manager & Click Add Roles under Roles Summary.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Under Role services check Certification Authority and Certification Authority Web Enrollment.  Click Next

 

 

 

 

 

 

 

 

 

  • Proceed with Enterprise CA selection (default) & click Next

 

 

 

 

 

 

 

 

 

  • Since this if our first CA, so choose Root CA and click Next

 

 

 

 

 

 

 

 

 

  • Since its a new Certificate Authority (CA) without existing keys so, select Create an new private key and click Next

 

 

 

 

 

 

 

 

 

  • Select the CSP, hashing method, and key length and click Next

 

 

 

 

 

 

 

 

 

  • Keep the defaults and click Next

 

 

 

 

 

 

 

 

 

  • Choose Validity Period as you desire (default) in this case and click Next

 

 

 

 

 

 

 

 

 

 

  • Accept the default database locations and click Next.

 

 

 

 

 

 

 

 

 

  • Next, complete the Web Server (IIS) Installation wizard in similar way

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Next, click Install to complete selected component (CA , Web Server) Installation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • And you are done !

In subsequent posts,  I will cover on how you can generate Certificate Signing Request (CSR) on ACS , enroll / install Certificate on ACS & setup EAP-TLS authentication Scenario for a client supplicant.

Reference : Cisco Secure ACS Server Scenario-based Deployment Guide CS-ACS 5.2

PDF Printer    Send article as PDF   

Tags: , , , , ,

One Response to “Configuring Cisco Secure ACS 5.X with an Enterprise CA issued Identity Certificate”

  1. Jesus Pavon says:

    any new post in how to configure ACS with EAP-TLS authentication. If any, please post the links

    Kind regards.

Leave a Reply

hide totop
  • RSS
  • Facebook
  • Twitter
  • RSS
  • Facebook
  • Twitter