Cisco Cisco NAC Appliance 4.1.0
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Manage CAM SSL Certificates
•
•
•
Note
You cannot use a CA-signed certificate that you bought for the Clean Access Manager on the Clean
Access Server. You must buy a separate certificate for each Clean Access Server.
Access Server. You must buy a separate certificate for each Clean Access Server.
Web Console Pages for SSL Certificate Management
The actual CAM SSL certificate files are kept on the CAM machine, and the CAS SSL certificate files
are kept on the CAS machine. After installation, the CAM and CAS certificates can be managed from
the following web console pages (respectively):
are kept on the CAS machine. After installation, the CAM and CAS certificates can be managed from
the following web console pages (respectively):
Clean Access Manager Certificates:
•
Administration > CCA Manager > SSL Certificate
Clean Access Server Certificates:
•
CAS management pages: Device Management > CCA Servers > Manage [CAS_IP] > Network
> Certs, or
> Certs, or
•
CAS direct access console: Administration > SSL Certificate
The CAM web admin console lets you perform the following SSL certificate-related operations:
•
Generate a temporary certificate (and corresponding private key).
•
Generate a PEM-encoded PKCS #10 Certificate Signing Request (CSR) based on the current
temporary certificate.
temporary certificate.
•
Import and export the private key. The Export Key feature is used to save a backup copy of the
Private Key on which the CSR is based. When a CA-signed certificate is returned from the
Certificate Authority and imported into the CAM, this Private Key must be used with it.
Private Key on which the CSR is based. When a CA-signed certificate is returned from the
Certificate Authority and imported into the CAM, this Private Key must be used with it.
Typical Steps for New Installs
For new installations, some typical steps for managing the CAM certificate are as follows.
Note
It is not necessary to have CA-signed certificates for the CAM.
1.
Synchronize time
After CAM and CAS installation, make sure the time on the CAM and CAS is synchronized before
regenerating the temporary certificate on which the Certificate Signing Request will be based. See
the next section,
regenerating the temporary certificate on which the Certificate Signing Request will be based. See
the next section,
, for details.
2.
Check DNS settings for the CAM
If planning to use the DNS name instead of the IP address of your servers for CA-signed certs, you
will need to verify the CAM settings and regenerate a temporary certificate. See
will need to verify the CAM settings and regenerate a temporary certificate. See
for details.
3.