Guest

Cisco NAC Appliance (Clean Access)

NAC (CCA): How to Fix Certificate Errors on the CAM/CAS After Upgrade to 4.1.6

Document ID: 107909

Updated: Sep 08, 2008

   Print

Introduction

This document describes how to fix certificate errors on the Clean Access Manager (CAM)/Clean Access Server (CAS) with version 4.1.6.

Prerequisites

Requirements

Cisco recommends that you have knowledge of the upgrade process for the Cisco Network Admission Control (NAC) Appliance.

Components Used

The information in this document is based on the Cisco NAC Appliance version 4.1.6 with CAM/CAS.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Procedure

These certificate errors are found in either /perfigo/logs/perfigo-redirect.log0.log.0 or /perfigo/logs/perfigo-log0.log.0.

Here is an example of a certificate error:

SEVERE: RMISocketFactory:Creating RMI socket failed to host 
        10.1.20.10:sun.security.validator.ValidatorException: 
        Certificate chaining error
Aug 1, 2008 1:41:22 PM com.perfigo.wlan.web.admin.ConnectorClient connect
SEVERE: Communication Exception : java.rmi.ConnectIOException: Exception  
        creating connection to: 10.1.20.10; nested exception is: 
 javax.net.ssl.SSLHandshakeException:  
        sun.security.validator.ValidatorException: Certificate chaining error

These errors are a result of security enhancements made in 4.1.6. In 4.1.6, the CAS and CAM act as client and server to each other and must trust each other. Each one requires the root and intermediate certificates from the other. For example, if the CAS has a Verisign certificate and the CAM has a Perfigo (temporary) certificate, both the CAS and CAM need the Verisign chain (root and intermediates) and the Perfigo root.

Complete these steps in order to fix the certificate errors:

  1. Back up any installed certificates that are not temporary certificates.

    1. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL > X509 Certificate.

      416CertFix_01.gif

    2. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to Administration > SSL > X509 Certificate.

      416CertFix_02.gif

    3. Choose Export CSR/Private Key/Certificate from the Choose an action drop-down list.

    4. Click Export located next to Currently Installed Certificate, and save this file.

    5. Click Export located next to Currently Installed Private Key, and save this file.

  2. After the backup, if the CAS and CAM do not already use temporary certificates, generate them.

    1. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL > X509 Certificate.

    2. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to Administration > SSL > X509 Certificate.

    3. Choose Generate Temporary Certificate from the drop-down list.

    4. Fill out the fields listed, and click Generate.

      Note: This no longer requires a reboot to take effect.

  3. Remove all Trusted Certificate Authorities from the CAS and CAM. This step makes it easier to manage and improve security.

    1. On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate Authorities.

    2. On the CAS, go to Administration > SSL > Trusted Certificate Authorities.

    3. Create a filter to exclude the Perfigo certificate.

      416CertFix_03.gif

    4. Choose Distinguished Name from the Add filter drop-down list.

      416CertFix_04.gif

    5. Choose contains not from the drop-down list that appears next to Distinguished Name.

      416CertFix_05.gif

    6. Type Perfigo in the text field, and then click Filter.

      416CertFix_06.gif

    7. Choose 100 from the drop-down list located next to the Delete Selected button.

    8. Click the check box below the Delete Selected drop-down list in order to select all the certificate authorities (CAs) in the list.

    9. Click Delete Selected in order to delete all the CAs in the list.

    10. Continue to click the box, and click Delete Selected until all the CAs are deleted.

  4. After you remove all CAs, the root and intermediate certificates must be imported.

    1. On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate Authorities.

    2. On the CAS, go to Administration > SSL > Trusted Certificate Authorities.

    3. Click Browse, and choose the Root Certificate first.

      Note: The subject and issuer should be set to the same value.

    4. Click Import, and the CA should appear in the list below.

    5. Perform the same procedure for any intermediate certificates.

  5. Install the CAS and CAM certificates that you backed up in the first step.

    1. On the CAM, open the web interface, and go to Administration > CCA Manager > SSL > X509 Certificate.

    2. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to Administration > SSL > X509 Certificate.

    3. Choose Import Certificate from the drop-down list.

    4. Click Browse, and choose the certificate saved from step 1.

    5. Click Upload.

    6. Click Browse again, and choose the private key that was saved from step 1.

    7. Choose Private Key from the File type drop-down list, and then click Upload.

    8. Click Verify and Install Uploaded Certificates.

    Note: This error message is not be fixed by these procedures:

    SEVERE: SSLFilter:access deniedCN=cas1.domain.com, 
            OU=Information Technologies, O=Company, ST=State, 
            C=US:Netscape cert type does not permit use for SSL client 
    

    If the logs contain this message, you must contact the certificate provider. The certificate must be reissued with the Netscape Cert Type field set to both SSL server and SSL client.

Related Information

Updated: Sep 08, 2008
Document ID: 107909