Cisco Cisco Clean Access 3.5
13-7
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 13 Administration
Manage SSL Certificates
Troubleshooting Certificate Issues
Several issues can arise surrounding certificate management in Cisco Clean Access:
Private Key in Clean Access Manager Does Not Match the CA-Signed Certificate
This issue can arise, for example, from the following scenario: say an administrator generates a CSR
(certificate signing request), backs up the private key, and then sends the CSR to a CA authority, such as
VeriSign.
(certificate signing request), backs up the private key, and then sends the CSR to a CA authority, such as
VeriSign.
Subsequently, another administrator regenerates a temporary certificate after the CSR has been sent.
When the CA-signed certificate is returned from the CA authority, the private key on which the
CA-certificate is based no longer matches the one in the Clean Access Manager.
When the CA-signed certificate is returned from the CA authority, the private key on which the
CA-certificate is based no longer matches the one in the Clean Access Manager.
To resolve this issue, re-import the old private key and then install the CA-signed certificate.
Signed Certificate Not Trusted
If the user see a warning page that the certificate is not trusted after the CA-signed certificate has been
installed, the likely cause is that the CA is not in the Root CA bundle for Cisco Clean Access. To resolve,
either:
installed, the likely cause is that the CA is not in the Root CA bundle for Cisco Clean Access. To resolve,
either:
•
Import the single Root CA or intermediate CA to
.chain.crt
in the admin console.
•
Append it to the end of the
perfigo-ca-bundle.crt
file.
Regenerating Certificates for DNS Name Instead of IP
If planning to regenerate certificates based on the DNS name instead of the IP address of your servers:
•
Make sure the CA-signed certificate you are importing is the one with which you generated the CSR
and that you have NOT subsequently generated another temporary certificate. Generating a new
temporary certificate will create a new private-public key combination. In addition, always export
and save the private key when you are generating a CSR for signing (to have the private key handy).
and that you have NOT subsequently generated another temporary certificate. Generating a new
temporary certificate will create a new private-public key combination. In addition, always export
and save the private key when you are generating a CSR for signing (to have the private key handy).
•
When importing certain CA-signed certificates, the system may warn you that you need to import
the root certificate (the CA’s root certificate) used to sign the CA-signed certificate, or the
intermediate root certificate may need to be imported.
the root certificate (the CA’s root certificate) used to sign the CA-signed certificate, or the
intermediate root certificate may need to be imported.
•
Make sure there is a DNS entry in the DNS server
•
Make sure the DNS address in your Clean Access Server is correct.
•
For High-Availability (failover) configurations, use the DNS name for the Service IP (virtual DNS)
•
It is recommended to reboot when you generate a new certificate or import a CA-signed certificate.
•
When using a DNS-based certificate, if it is not CA-signed, the user will simply be prompted to
accept the certificate.
accept the certificate.
The following sections provide more information on how to perform certificate management steps.