Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

561

562

563

564

565

566

567

568

569

570

14-7

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 14 Administering the CAM

Manage CAM SSL Certificates

This section describes the following:

• SSL Certificate Overview, page 14-7

• Web Console Pages for SSL Certificate Management, page 14-8

• Typical SSL Certificate Setup on the CAM, page 14-9

• Generate Temporary Certificate, page 14-11

• Generate and Export a Certification Request (Non-FIPS CAM Only), page 14-12

• Manage Signed Certificate/Private Key, page 14-14

• Manage Trusted Certificate Authorities, page 14-16

• View Current Private Key/Certificate and Certificate Authority Information, page 14-19

• Troubleshooting Certificate Issues, page 14-21

SSL Certificate Overview

The elements of Cisco NAC Appliance communicate securely over Secure Socket Layer (SSL)

connections. Cisco NAC Appliance uses SSL connections for a number of purposes, including the

following:

• Secure communications between the CAM and the CAS

Caution CAM-CAS communication and HA-CAM and/or HA-CAS peer communication can break down and

adversely affect network functionality when SSL certificates expire. For more information, see HA

Active-Active Situation Due to Expired SSL Certificates, page 14-21.

• Policy Import/Export operations between Policy Sync Master and Policy Sync Receiver CAMs

• CAM-to-LDAP authentication server communications where SSL has been enabled for the LDAP

authentication provider using the Security Type option on the User Management > Auth Servers

> New | Edit page

• Between the CAS and end-users connecting to the CAS

• Between the CAM/CAS and the browsers accessing the CAM/CAS web admin consoles

During installation, the configuration utility script for both the CAM and CAS requires you to generate

a temporary SSL certificate for the appliance being installed (CAM or CAS). For the Clean Access

Manager and Clean Access Servers operating strictly in a lab environment, it is not necessary to use a

CA-signed certificate and you can continue to use a temporary certificate, if desired. For security reasons

in a production deployment, however, you must replace the temporary certificate for the CAM and CAS

with a third-party CA-signed SSL certificate.

At installation, a corresponding Private Key is also generated with the temporary certificate. Cisco NAC

Appliance Release 4.7(0) uses two types of keys to support FIPS compliance: Private Keys and Shared

Master Keys. Both of these key types are managed and stored using the FIPS card installed in the

CAM/CAS. During installation, keys are created using the CAM/CAS setup utilities, the keys are then

moved to the FIPS card for security, and key-generation files and/or directories are then removed from

the CAM/CAS.