Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

571

572

573

574

575

576

577

578

579

580

14-8

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 14 Administering the CAM

Manage CAM SSL Certificates

In Cisco NAC Appliance Release 4.8 and later, you can no longer export private keys and you cannot

generate CSRs using a FIPS 140-2 compliant CAM/CAS. To adhere to FIPS compliance guidelines, you

can only import certificates from trusted third-party resources.

For details on managing SSL certificates for the CAS, see the Cisco NAC Appliance - Clean Access

Server Configuration Guide, Release 4.9(x).

Note Cisco NAC Appliance supports 1024-, 2048-, and 4096-bit RSA key lengths for SSL certificates.

Note Cisco NAC Appliance supports Extended Validation (EV) SSL certificates.

Note Cisco NAC Appliance does not support wildcard SSL certificates.

The following sections describe how to manage SSL certificates for the CAM:

• Generate Temporary Certificate, page 14-11

• Generate and Export a Certification Request (Non-FIPS CAM Only), page 14-12

• Manage Signed Certificate/Private Key, page 14-14

• Manage Trusted Certificate Authorities, page 14-16

• View Current Private Key/Certificate and Certificate Authority Information, page 14-19

• Troubleshooting Certificate Issues, page 14-21

Note You cannot use a CA-signed certificate that you bought for the Clean Access Manager on the Clean

Access Server. You must buy a separate certificate for each Clean Access Server.

Web Console Pages for SSL Certificate Management

The actual CAM SSL certificate files are kept on the CAM machine, and the CAS SSL certificate files

are kept on the CAS machine. After installation, the CAM certificates are managed from the following

web console pages (respectively):

Clean Access Manager Certificates:

• Administration > CCA Manager > SSL > X509 Certificate—Use this configuration window to

import and export temporary or CA-signed certificates, import Private Keys (FIPS and non-FIPS

appliances), export Private Keys (non-FIPS appliances only), and generate new temporary

certificates

• Administration > CCA Manager > SSL > Trusted Certificate Authorities—Use this

configuration window to view, add, and remove Certificate Authorities on the CAM

• Administration > CCA Manager > SSL > X509 Certification Request (non-FIPS appliances

only)—Use this configuration window to generate a new Certificate Signing Request (CSR) for the

CAM

The CAM web admin console lets you perform the following SSL certificate-related operations:

• Generate a PEM-encoded PKCS #10 CSRs (non-FIPS appliances only).