Hi Kings, It has always been a pain in the back making Windows trust "untrusted" certificates. I remember I was able to trick Windows to trust the certificate issued by my own Linux based SSL CA by exporting it to a file (Base 64 encoding) and then importing it to a local machine certificate store. Open that untrusted certificate and then select the second tab called "Details". You'll "Copy to File" button at the bottom of the window. Select Base 64 encoded and save it locally. Then do an import by going to IE properties, Content tab, Certificates, then select Import and then make sure you import it to Third-Party Root Certification Authorities container. The net result is you have to see this certificate in the list of certificates available to the user who is logged to the Windows box. Run "mmc" in Windows, in the Console go to File and select "Add/Remove Snap-in", click Add and find "Certificates" in the new window. Select "My user account" in the next window. In the resulting window expand Certificates for a current user and navigate to "Third-Party root certificates" -> Certificates. Your newly imported certificate should be there.
As for your second question I'm only on my way to master NAC L3. Hope someone will tie these two together ;) Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, April 02, 2012 4:52 AM To: [email protected] Subject: [OSL | CCIE_Security] Trusting certificates when using ssl or tls Hi all I am going to present two questions with it's solution. Please comment. Question 1 ======== A router has been enrolled to an IOS CA server and the https secure server should use this certificate using ip http secure-truspoint command for it's self identity. Now from a PC, you are trying connect to the router using https with IE 6.0. The task is that, I should configure the PC, so that I am not prompted with a pop up for confirmation the cert is valid. For this I should do three things 1. Add the certificates hostname in the Hosts file and access the router using hostname that is in the identity cert. 2. Make sure the clock is set correct and certificate validity period is valid. 3. Install the certificate in the trusted root certificate authorities. First two, I have no issues. For the third one, I installed the router's identity certificate along in the Windows "Trusted root certificate authorities" and that completed the solution. Well the question is instead of installing the identity certificate, if I install the root certificate of the IOS CA server, the Windows should trust the idenity certificate presented, right? But that doesn't happen. Logically, that should also work. Question 2 ======== A router should be configured L3 IP NAC. The ACS should not use self signed certificate rather request a certificate from IOS CA server. Now NAC L3 IP uses PEAP and thus ACS will be presenting the identity certificate that it got from the IOS CA server to client for self identity during PEAP establishment. The question here, on the client PC for which posture validation is performed, should I install the identity certificate of CA server or IOS CA server root certificate or both in Windows "Trusted root certificate" authorities. Please the questions are related. Please provide your comments. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
