Specifications
14-10
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 14 Administering the CAM
Manage CAM SSL Certificates
Step 6 (Non-FIPS appliances only) Export the Private Key to a local machine for safekeeping
If you are altering your Cisco NAC Appliance SSL configuration, it is always a good idea to back up the
Private Key corresponding to the current certificate to a local hard drive for safekeeping. See Generate
and Export a Certification Request (Non-FIPS CAM Only), page 14-12.
Step 7 (Non-FIPS appliances only) Export (save) the Certificate Signing Request (CSR) to a local machine. See
Generate and Export a Certification Request (Non-FIPS CAM Only), page 14-12.
Step 8 Send the CSR file to a Certification Authority (CA) authorized to issue trusted certificates.
Step 9 After the CA signs and returns the certificate, import the CA-signed certificate to your server.
When the CA-signed certificate is received from the CA, upload it as PEM-encoded file to the CAM
temporary store. See Manage Signed Certificate/Private Key, page 14-14.
Note The CAM and CAS require encrypted communication. Therefore, the CAM must contain the Trusted
Certificate Authorities from which the certificates on all of its managed CASs originate, and all CASs
must contain the same Trusted Certificate Authority from which the CAM certificate originates before
deploying Cisco NAC Appliance in a production environment.
Step 10 If necessary, upload any required intermediate CA certificate(s) as a single PEM-encoded file to the
CAM temporary store.
Step 11 Test access to the Clean Access Manager.
Note Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and
that you have NOT subsequently generated another temporary certificate. Generating a new temporary
certificate will create a new private-public key combination. In addition, always export and save the
Private Key to a secure location when you are generating a CSR for signing (for safekeeping and to have
the Private Key handy).
For additional details, see also Troubleshooting Certificate Issues, page 14-21.
Phase 3: Adding a New CAM or CAS to an Existing Production Deployment
In production deployments and for FIPS 140-2 compliant appliances, CA-signed certificates are used
exclusively. Use the following steps when introducing new appliances (CAM or CAS) to a production
deployment. The new appliance should not be added to the deployment until you have requested and are
able to import a new third-party CA-signed certificate.
Step 1 Install and initially configure the new appliance as described in the Cisco NAC Appliance Hardware
Installation Guide, Release 4.9(x).
Step 2 Follow the steps in Phase 1: Prepare Your CAM and CAS for the Certificate Signing Request (CSR),
page 14-9
Step 3 (Non-FIPS appliances only) Generate a CSR for the new appliance, as described in Generate and Export
a Certification Request (Non-FIPS CAM Only), page 14-12.
Step 4 Obtain and install the CA-signed certificate as described in Import Signed Certificate/Private Key,
page 14-14.