Using self-signed certificates, About self-signed certificates, Using self-signed – Cisco 3.3 User Manual
Page 427
10-47
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup
Using Self-Signed Certificates
You can use Cisco Secure ACS to generate a self-signed digital certificate to be
used for PEAP authentication protocol or for HTTPS support of Cisco Secure
ACS administration. This capability supports TLS/SSL protocols and
technologies without the requirement of interacting with a CA.
This section contains the following topics:
•
About Self-Signed Certificates, page 10-47
•
Self-Signed Certificate Configuration Options, page 10-48
•
Generating a Self-Signed Certificate, page 10-49
About Self-Signed Certificates
Cisco Secure ACS supports TLS/SSL-related protocols, including PEAP and
HTTPS, that require the use of digital certificates. Employing self-signed
certificates is a way for administrators to meet this requirement without having to
interact with a certification authority (CA) to obtain and install the certificate for
the Cisco Secure ACS. The self-signed certificate feature in Cisco Secure ACS
allows the administrator to generate the self-signed digital certificate and use it
for PEAP authentication protocol or for HTTPS support in web administration
service.
Other than the lack of interaction with a CA to obtain the certificate, installing a
self-signed certificate requires exactly the same actions as any other digital
certificate. Although Cisco Secure ACS does not support the replication of
self-signed certificates, you can export a certificate for use on more than one
Cisco Secure ACS. To do this, you copy the certificate file (.cer format) and the
corresponding private key file (.pvk format) to another Cisco Secure ACS where
you then install the certificate in the standard manner. For information on
installing certificates, see
Installing a Cisco Secure ACS Server Certificate,
To ensure that a self-signed certificate interoperates with the client, refer to your
client documentation. You may find that you must import the self-signed server
certificate as a CA certificate on your particular client.