Specifications
14-14
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 14 Administering the CAM
Manage CAM SSL Certificates
When you receive the CA-signed certificate back from the certification authority, you can import it into
the Clean Access Manager as described in Manage Signed Certificate/Private Key, page 14-14. After the
CA-signed cert is imported, the “currently installed certificate” is the CA-signed certificate. You can
always optionally Export the currently installed certificate if you need to access a backup of this
certificate later.
Default File Names for Exported Files
The default file names for SSL Certificate files that can be exported from the CAM are as follows. When
you actually save the file to your local machine, you can specify a different name for the file. For
example, to keep from overwriting your chain.pem file containing your certificate chain information,
you can specify your Private Key filename to be a more appropriate name like priv_key.pem or
something similar.
Manage Signed Certificate/Private Key
Import Signed Certificate/Private Key
You can import CA-signed PEM-encoded X.509 Certificates and Private Keys using the CAM web
console on both FIPS 140-2 compliant and non-FIPS appliances. (Typically, you only need to re-import
the Private Key if the current Private Key does not match the one used to create the original CSR on
which the CA-Signed certificate is based.) There are two methods administrators can use to import
CA-signed certificates, Private Keys, and associated Certificate Authority information into Cisco NAC
Appliance:
1. Import the Certificate Authorities and the End Entity Certificates/Private Keys separately:
a. Import the Certificate Authorities into the trust store using the procedures in Manage Trusted
Certificate Authorities, page 14-16
b. Import the CAM’s end entity certificate and/or Private Key using the instructions below
2. Construct a PEM-encoded X.509 certificate chain (including the Private Key, End Entity, Root CA,
and Intermediate CA certificates) and import the entire chain at once using the instructions below
If you have received a CA-signed PEM-encoded X.509 certificate for the Clean Access Manager, you
can also import it into the Clean Access Manager as described here.
Before starting, make sure that the root and CA-signed certificate files are in an accessible file directory
location and that you have obtained third-party certificates for both your CAM and CASs. If using a
Certificate Authority for which intermediate CA certificates are necessary, make sure these files are also
present and accessible if not already present on the CAM.
Default File Name
1
1. For release 3.6.0.1 and below the filename extension is .csr instead of .pem.
Description
cert_request.pem CAM Certificate Signing Request (CSR)
chain.pem
2
2. For release 3.6(1) only, the filename is smartmgr_crt.pem.
CAM Currently Installed Certificate and Currently Installed Private Key