Specifications
14-9
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 14 Administering the CAM
Manage CAM SSL Certificates
• Import (FIPS and non-FIPS) and export (non-FIPS only) Private Keys. For non-FIPS appliances,
you can use this feature to save a backup copy of the Private Key on which the CSR is based. When
a CA-signed certificate is returned from the Certificate Authority and imported into the CAM (FIPS
and non-FIPS), this Private Key must be used with it or the CAM cannot communicate with any
associated machines via SSL.
• View, remove, and import/export Trusted CAs in the CAM local trust store.
• Generate a temporary certificates (and corresponding Private Keys). Temporary certificates are
designed for lab environments only. When you deploy your CAM and CAS in a production
environment, Cisco strongly recommends using a trusted certificate from a third-party Certificate
Authority to help ensure network security.
Typical SSL Certificate Setup on the CAM
Some typical steps for managing CAM certificates are as follows.
Phase 1: Prepare Your CAM and CAS for the Certificate Signing Request (CSR)
Step 1 Synchronize time.
After CAM and CAS installation, make sure the time on the CAM and CAS is synchronized before
regenerating the temporary certificate on which the Certificate Signing Request will be based. See the
next section, Set System Time, page 14-5, for details.
Step 2 Check DNS settings for the CAM.
If planning to use the DNS name instead of the IP address of your servers for CA-signed certificates,
you will need to verify the CAM settings and regenerate a temporary certificate. See Regenerating
Certificates for DNS Name Instead of IP, page 14-23 for details.
Step 3 Generate Temporary Certificate, page 14-11.
A temporary certificate and Private Key are automatically generated during CAM installation. If
changing time or DNS settings on the CAM, regenerate the temporary certificate and Private Key.
Step 4 Ensure you export the certificate from your CAM, save it on a machine accessible from your CAS, and
import the exported certificate on the CAS, and repeat the process in reverse to ensure the CAS
certificate also resides on the CAM.
Phase 2: Prepare your CAM and CAS For CA-Signed Certs (Production Deployment)
Warning
If your previous deployment uses a chain of SSL certificates that is incomplete, incorrect, or out of
order, CAM/CAS communication may fail after upgrade to release 4.5 and later. You must correct your
certificate chain to successfully upgrade to release 4.5 and later. For details on how to fix certificate
errors on the CAM/CAS after upgrade to release 4.5 and later, refer to the How to Fix Certificate Errors
on the CAM/CAS After Upgrade Troubleshooting Tech Note.
Step 5 Export (Backup) the certificate to a local machine for safekeeping.
If you are altering your Cisco NAC Appliance SSL configuration, it is always a good idea to back up the
certificate to a local hard drive for safekeeping. See Generate and Export a Certification Request
(Non-FIPS CAM Only), page 14-12.