Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

581

582

583

584

585

586

587

588

589

590

14-23

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 14 Administering the CAM

Manage CAM SSL Certificates

• Agent Troubleshooting, page 11-36

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate

This issue can arise if a new temporary certificate is generated but a CA-signed certificate is returned

for the Certificate Signing Request (CSR) generated from a previous temporary certificate and Private

Key pair.

For example, an administrator generates a CSR, backs up the Private Key, and then sends the CSR to a

CA authority, such as VeriSign.

Subsequently, another administrator regenerates a temporary certificate after the CSR has been sent.

When the CA-signed certificate is returned from the CA authority, the Private Key on which the

CA-certificate is based no longer matches the one in the Clean Access Server.

To resolve this issue, re-import the old Private Key and then install the CA-signed certificate.

Regenerating Certificates for DNS Name Instead of IP

If planning to regenerate certificates based on the DNS name instead of the IP address of your servers:

• Make sure the CA-signed certificate you are importing is the one with which you generated the CSR

and that you have NOT subsequently generated another temporary certificate. Generating a new

temporary certificate will create a new private-public key combination. In addition, always export

and save the Private Key when you are generating a CSR for signing (to have the Private Key handy).

• When importing certain CA-signed certificates, the system may warn you that you need to import

the root certificate (the CA’s root certificate) used to sign the CA-signed certificate, or the

intermediate root certificate may need to be imported.

• Make sure there is a DNS entry in the DNS server.

• Make sure the DNS address in your Clean Access Server is correct.

• For High-Availability (failover) configurations, use the DNS name for the Service IP (virtual DNS).

• Cisco recommends rebooting when you generate a new certificate or import a CA-signed certificate.

• When using a DNS-based certificate, if it is not CA-signed, the user will simply be prompted to

accept the certificate.

Disabling Administrator Prompt for Certificate on IE 8 and 9

If no certificates or only one certificate is installed in the personal store in Windows then there is an

administrator prompt for certificate in IE9. The prompt can be disabled by setting the option on Internet

Explorer.

To disable the prompt:

Step 1 Go to Tools > Internet Options.

Step 2 Click the the Security tab. Select a zone to view or change security settings (that the NAC Manager URL

falls under).

Step 3 Click Custom level under Security level for this zone.

Step 4 Enable Don't prompt for client certificate selection when no certificates or only one certificate exists.