NAC (CCA): How to Fix Certificate Errors on the Contents Introduction

NAC (CCA): How to Fix Certificate Errors on the
CAM/CAS After Upgrade to 4.1.6
Document ID: 107909
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Procedure
Related Information
Introduction
This document describes how to fix certificate errors on the Clean Access Manager (CAM)/Clean Access
Server (CAS) with version 4.1.6.
Prerequisites
Requirements
Cisco recommends that you have knowledge of the upgrade process for the Cisco Network Admission Control
(NAC) Appliance.
Components Used
The information in this document is based on the Cisco NAC Appliance version 4.1.6 with CAM/CAS.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Procedure
These certificate errors are found in either /perfigo/logs/perfigo−redirect.log0.log.0 or
/perfigo/logs/perfigo−log0.log.0.
Here is an example of a certificate error:
SEVERE: RMISocketFactory:Creating RMI socket failed to host
10.1.20.10:sun.security.validator.ValidatorException:
Certificate chaining error
Aug 1, 2008 1:41:22 PM com.perfigo.wlan.web.admin.ConnectorClient connect
SEVERE: Communication Exception : java.rmi.ConnectIOException: Exception
creating connection to: 10.1.20.10; nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: Certificate chaining error
These errors are a result of security enhancements made in 4.1.6. In 4.1.6, the CAS and CAM act as client and
server to each other and must trust each other. Each one requires the root and intermediate certificates from
the other. For example, if the CAS has a Verisign certificate and the CAM has a Perfigo (temporary)
certificate, both the CAS and CAM need the Verisign chain (root and intermediates) and the Perfigo root.
Complete these steps in order to fix the certificate errors:
1. Back up any installed certificates that are not temporary certificates.
a. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL >
X509 Certificate.
b. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to
Administration > SSL > X509 Certificate.
c. Choose Export CSR/Private Key/Certificate from the Choose an action drop−down list.
d. Click Export located next to Currently Installed Certificate, and save this file.
e. Click Export located next to Currently Installed Private Key, and save this file.
2. After the backup, if the CAS and CAM do not already use temporary certificates, generate them.
a. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL >
X509 Certificate.
b. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to
Administration > SSL > X509 Certificate.
c. Choose Generate Temporary Certificate from the drop−down list.
d. Fill out the fields listed, and click Generate.
Note: This no longer requires a reboot to take effect.
3. Remove all Trusted Certificate Authorities from the CAS and CAM. This step makes it easier to
manage and improve security.
a. On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate
Authorities.
b. On the CAS, go to Administration > SSL > Trusted Certificate Authorities.
c. Create a filter to exclude the Perfigo certificate.
d. Choose Distinguished Name from the Add filter drop−down list.
e. Choose contains not from the drop−down list that appears next to Distinguished Name.
f. Type Perfigo in the text field, and then click Filter.
g. Choose 100 from the drop−down list located next to the Delete Selected button.
h. Click the check box below the Delete Selected drop−down list in order to select all the
certificate authorities (CAs) in the list.
i. Click Delete Selected in order to delete all the CAs in the list.
j. Continue to click the box, and click Delete Selected until all the CAs are deleted.
4. After you remove all CAs, the root and intermediate certificates must be imported.
a. On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate
Authorities.
b. On the CAS, go to Administration > SSL > Trusted Certificate Authorities.
c. Click Browse, and choose the Root Certificate first.
Note: The subject and issuer should be set to the same value.
d. Click Import, and the CA should appear in the list below.
e. Perform the same procedure for any intermediate certificates.
5. Install the CAS and CAM certificates that you backed up in the first step.
a. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL >
X509 Certificate.
b. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to
Administration > SSL > X509 Certificate.
c. Choose Import Certificate from the drop−down list.
d. Click Browse, and choose the certificate saved from step 1.
e. Click Upload.
f. Click Browse again, and choose the private key that was saved from step 1.
g. Choose Private Key from the File type drop−down list, and then click Upload.
h. Click Verify and Install Uploaded Certificates.
Note: This error message is not be fixed by these procedures:
SEVERE: SSLFilter:access deniedCN=cas1.domain.com,
OU=Information Technologies, O=Company, ST=State,
C=US:Netscape cert type does not permit use for SSL client
If the logs contain this message, you must contact the certificate provider. The certificate must be
reissued with the Netscape Cert Type field set to both SSL server and SSL client.
Related Information
• Cisco NAC Appliance Support Page
• Technical Support & Documentation − Cisco Systems
Contacts & Feedback | Help | Site Map
© 2009 − 2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Sep 08, 2008
Document ID: 107909