naccacertinst

CA Certificate Installation

The OfficeScan client authenticates with the ACS server before it sends security posture data. The CA certificate is necessary for this authentication to take place. First, export the CA certificate from the CA server to both the ACS server and the OfficeScan server, then create the CTA agent deployment package. The package includes the CA certificate (see The CA Certificate and Cisco Trust Agent Deployment).

Perform the following to export and install the CA certificate:

• Export the CA certificate from the Certificate Authority server

• Install it on the Cisco Secure ACS server

• Store a copy on the OfficeScan server

• The following procedure is for users running a Windows Certification Authority server to manage certificates on the network. Refer to the vendor documentation if you use another Certification Authority application or service.

To export and install the CA certificate for distribution:

1. Export the certificate from the Certification Authority (CA) server:

1. On the CA server, click Start > Run. The Run screen opens.

2. Type mmc in the Open box. A new management console screen opens.

3. Click File > Add/Remove Snap-in. the Add/Remove Snap-in screen appears.

4. Click Certificates and click Add. The Certificates snap-in screen opens.

5. Click Computer Account and click Next. The Select Computer screen opens.

6. Click Local Computer and click Finish.

7. Click Close to close the Add Standalone Snap-in screen.

8. Click OK to close the Add/remove Snap-in screen.

9. In the tree view of the console, click Certificates > Trusted Root > Certificates.

10. Select the certificate to distribute to clients and the ACS server from the list.

11. Click Action > All Tasks > Export... The Certificate Export Wizard opens.

12. Click Next.

13. Click DER encoded binary x.509 and click Next.

14. Enter a file name and browse to a directory to which to export the certificate.

15. Click Next.

16. Click Finish. A confirmation window displays.

17. Click OK.

2. Install the certificate on Cisco Secure ACS.

1. Click System Configuration > ACS Certificate Setup > ACS Certification Authority Setup.

2. Type the full path and file name of the certificate in the CA certificate file field.

3. Click Submit. Cisco Secure ACS prompts you to restart the service.

4. Click System Configuration > Service Control.

5. Click Restart. Cisco Secure ACS restarts.

6. Click System Configuration > ACS Certificate Management > Edit Certificate Trust List. The Edit Certificate Trust List screen appears.

7. Select the check box that corresponds to the certificate you imported in step b and click Submit. Cisco Secure ACS prompts you to restart the service.

8. Click System Configuration > Service Control.

9. Click Restart. Cisco Secure ACS restarts.

3. Copy the certificate (.cer file) to the OfficeScan server computer to deploy it to the client with the CTA (see Cisco Trust Agent Deployment for more information).

• Store the certificate on a local drive and not on mapped drives.