In this blog post, i would cover steps you need to setup an Enterprise Certificate Authority (CA) & in subsequent posts, i would demonstrate how to install an Enterprise CA issued Identity Certificate on Cisco Secure ACS 5.X Server . I would also walk-through a scenario with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) authentication setup for a Client.
As you might already know , Cisco Secure ACS 5.X already has a Self-Signed certificate (created during installation phase) . However, it can only be used for managing ACS via an administrative session (using HTTPS). This Self-Signed certificate cannot be used for any other purpose e.g EAP-TLS authentication etc. For this purpose, you require an External Certificate Authority to issue a certificate to an ACS Server 5.x . This post will show you how to setup an Certificate Authority (CA) on a Windows 2008 R2 Server. In next post, i would show how to generate a Certificate Signing Request (CSR) from ACS Server 5.X ,using CA to issue certificate & importing that certificate to Cisco Secure ACS 5.x & using it in EAP-TLS authentication scenario. More scenarios are covered in underlying Cisco Secure ACS 5.X Scenario based deployment Guide
Let’s first setup a Certificate Authority on a Windows 2008 R2 Server . Follow these steps : (Click on an Image to enlarge it )
- First, start the Server Manager & Click Add Roles under Roles Summary.
- Under Role services check Certification Authority and Certification Authority Web Enrollment. Click Next
- Proceed with Enterprise CA selection (default) & click Next
- Since this if our first CA, so choose Root CA and click Next
- Since its a new Certificate Authority (CA) without existing keys so, select Create an new private key and click Next
- Select the CSP, hashing method, and key length and click Next
- Keep the defaults and click Next
- Choose Validity Period as you desire (default) in this case and click Next
- Accept the default database locations and click Next.
- Next, complete the Web Server (IIS) Installation wizard in similar way
- Next, click Install to complete selected component (CA , Web Server) Installation
- And you are done !
In subsequent posts, I will cover on how you can generate Certificate Signing Request (CSR) on ACS , enroll / install Certificate on ACS & setup EAP-TLS authentication Scenario for a client supplicant.