Administrator Guide for Cisco Trust Agent, Release 2.1, With Bundled Supplicant - Cisco Trust Agent's Use of Certificates [Cisco Trust Agent]

Table Of Contents

Cisco Trust Agent's Use of Certificates

About The ACS Server Root Certificate

About The ctacert Utility

Installing or Updating Certificates Using the ctacert Utility

Installing or Updating a Certificate on Linux Operating Systems

Installing or Updating a Certificate on Mac OS X Operating System

Installing or Updating a Certificate on Windows Operating Systems

Listing Certificates in the Certificate Store

Listing Certificates in the Certificate Store on Linux Operating Systems

Listing Certificates in the Certificate Store on Mac OS X Operating System

Deleting Certificates from the Certificate Store

Deleting a Certificate from the Certificate Store on Linux Operating Systems

Deleting a Certificate from the Certificate Store on Mac OS X Operating System

Clearing Certificates from the Certificate Store

Clearing All Certificates from the Certificate Store on Linux Operating Systems

Clearing All Certificates from the Certificate Store on Mac OS X Operating Systems

Configuring Machine Authentication Using Certificates

Requesting the Machine Certificate for Machine Authentication

Configuring User Authentication Using Certificates

Importing the User Certificate for User Authentication

Configuring Machine and User Authentication Using Certificates

Distinguished Name Matching

Converting DER Formatted Certificates to PEM Formatted Certificates

Cisco Trust Agent's Use of Certificates

CTA uses certificates to establish a PEAP and an EAP FAST session with Cisco Secure Access Control Server (ACS). You need to install the ACS root certificate on the client system for this session to be established.

Typically, this certificate is installed as part of a custom Cisco Trust Agent installation package. If it was not installed, CTA provides a the ctacert utility for installing and updating the posture validation server certificate on the client.

If you have installed the 802.1X Wired Client you may perform machine and user authentication using certificates. You can configure CTA for this authentication after the ACS root certificate has been installed.

This chapter contains the following sections:

•About The ACS Server Root Certificate

•About The ctacert Utility

•Installing or Updating Certificates Using the ctacert Utility

–Installing or Updating a Certificate on Linux Operating Systems

–Installing or Updating a Certificate on Mac OS X Operating System

–Installing or Updating a Certificate on Windows Operating Systems

•Listing Certificates in the Certificate Store

–Listing Certificates in the Certificate Store on Linux Operating Systems

–Listing Certificates in the Certificate Store on Mac OS X Operating System

•Deleting Certificates from the Certificate Store

–Deleting a Certificate from the Certificate Store on Linux Operating Systems

–When prompted, type y to confirm your desire to delete the certificate.

•Clearing Certificates from the Certificate Store

–Clearing All Certificates from the Certificate Store on Linux Operating Systems

–Clearing All Certificates from the Certificate Store on Mac OS X Operating Systems

•Configuring Machine Authentication Using Certificates

–Requesting the Machine Certificate for Machine Authentication

•Configuring User Authentication Using Certificates

–Importing the User Certificate for User Authentication

•Configuring Machine and User Authentication Using Certificates

•Distinguished Name Matching

•Converting DER Formatted Certificates to PEM Formatted Certificates

About The ACS Server Root Certificate

For ACS to establish a secure PEAP or an EAP FAST session with Cisco Trust Agent, you must install the ACS root certificate on the network client. This certificate is either the CA certificate used to validate the server certificate, or a self-signed certificate generated by the ACS server. On Windows platforms, CTA supports PEM wrappered Base-64 or DER encoded binary X.509 certificates. On Linux platforms, CTA supports PEM wrappered Base-64 certificates only.

Note The ACS certificate must have "server authentication" as the certificate purpose for the PEAP session to be created.

Before you begin reviewing this chapter, obtain the ACS root certificate. If ACS uses self-signed certificates, obtain the certificate from the server. (Refer to the User Guide for Cisco Secure ACS for Windows Server for information about obtaining the certificate.) If you use a CA certificate, obtain the certificate from your certificate server.

Cisco Trust Agent installs a utility on the local client to help you add, delete, and manage certificates. See "About The ctacert Utility" section for detailed procedures describing the use of this utility.

About The ctacert Utility

Use the ctacert utility to install, delete, and manage the root certificate used by Cisco Trust Agent for PEAP (EAPoUDP) sessions with ACS or any other certificates you want to install on the client.

The ctacert utility is installed on Linux, Mac OS X, and Windows platforms. The utility's executable file name on Linux and Mac OS X is ctacert. The utility's executable file name on Windows is ctaCert.exe. This section refers to the utility generically as "ctacert."

On Windows, the ctaCert.exe utility can accept PEM wrappered Base-64 or DER encoded binary X.509 certificates. On Linux platforms, the ctacert utility only accepts PEM wrappered Base-64 certificates. However, on Linux platforms, the certificates can be converted from DER to PEM formats. See, the "Converting DER Formatted Certificates to PEM Formatted Certificates" section for the command to perform the conversion.

Installing or Updating Certificates Using the ctacert Utility

The ctacert utility can be used on Linux, Mac OS X, and Windows operating systems to install or update certificates.

Installing or Updating a Certificate on Linux Operating Systems

Step 1 Copy the certificate to the client.

Step 2 Open a terminal window on the network client.

Step 3 At the prompt type either of the following commands and press <Enter>:

•ctacert -a /path/cert_name.cer

•ctacert --add /path/cert_name.cer

In these examples, /path/cert_name.cer represents the full path and file name of the certificate.

After the certificate has been installed, you receive the message, "Certificate successfully added to store with Hashed Name Number", where Number is the numeric Hashed Name of the certificate.

Installing or Updating a Certificate on Mac OS X Operating System

Step 1 Copy the certificate to the client.

Step 2 Open a terminal window.

Step 3 Change the directory to the /opt/CiscoTrustAgent/bin directory.

Step 4 At the prompt enter either of these commands and press <Enter>.

•sudo ./ctacert -a /path/cert_name.cer

•sudo ./ctacert --add /path/cert_name.cer

In these examples, /path/cert_name.cer represents the full path and file name of the certificate.

After the certificate has been installed, you receive the message, "Certificate successfully added to store with Hashed Name Number", where Number is the numeric Hashed Name of the certificate.

Installing or Updating a Certificate on Windows Operating Systems

On Windows operating systems, all certificates are stored in the Microsoft Certificate Store. The ctaCert.exe utility only allows you to add certificates to the Microsoft Certificate Store. All other management of certificates is done through Microsoft's Certificate Management interface.

This is the /add command syntax for ctaCert.exe:
ctaCert.exe /ui {2 | 3| 4 | 5} /add "cert_path" /store "cert_store"
Command Parameters

Table 8-1 describes the command parameters for the ctaCert utility.

Table 8-1 ctaCert Utility Command Parameters

Parameter

Description

/ui

Specifies silent or verbose install. Accepts the following values:

•2 or 3—Silent installation.

•4 or 5—Full user interaction installation.

Any other value entered is treated as full user interaction.

/add

Specifies the full path to the certificate being added. You can also specify *.cer to all certificates in the specified directory, for example: c:\My_Certs\*.cer.

/store

Specifies the system certificate store. Typically this is "Root".

To install a certificate using the ctaCert.exe utility, follow this procedure:

Step 1 Copy the certificate to the network client.

Step 2 Open a command prompt on the network client.

Step 3 Change directory to the location of the ctaCert.exe utility. By default, the location is C:\Program Files\Cisco Systems\CiscoTrustAgent\.

Step 4 At the prompt, type the following and press <Enter>.
ctaCert.exe /ui x /add C:\path\cert_name.cer /store Root
Where /ui x specifies the level of user interaction and where C:\path\cert_name.cer is the full path and file name of the certificate.

The certificate is added to the trusted certificate store on the network client.

Listing Certificates in the Certificate Store

The ctacert utility can be used on Linux and Mac OS X to list the certificates in the client certificate store. Use the Microsoft's Certificate Management interface to perform this task on Windows operating systems.

Listing Certificates in the Certificate Store on Linux Operating Systems

Step 1 Open a terminal window on the network client.

Step 2 From any prompt enter either of these commands and press <Enter>.

•ctacert -l

•ctacert --list

This command displays the hashed file name, certificate version, signature algorithm, subject/issuer name, validity period, and MD5 fingerprint information. Output pertaining to different certificates are separated by a string of dashes.

Example 8-1 ctacert --list command output on Linux
#ctacert --list
hashed file name: 814661db.0
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption       
Issuer: O=Cisco Systems, Inc., CN=Stress
Validity
Not Before: Aug  7 11:38:06 2002 GMT
Not After : Aug 20 05:09:50 2048 GMT
Subject: O=Cisco Systems, Inc., CN=Stress
MD5 Fingerprint=13:5A:A9:B5:98:DE:78:F5:1A:7E:27:FA:E0:8B:1D:D7
------------------------------------------------------------
Listing Certificates in the Certificate Store on Mac OS X Operating System

Step 1 Open a terminal window on the network client.

Step 2 Change the directory to /opt/CiscoTrustAgent/bin directory.

Step 3 At the prompt enter either of these commands and press <Enter>.

•sudo ./ctacert -l

•sudo ./ctacert --list

Step 4 When prompted, type the root user's password.

This command displays the hashed file name, certificate version, signature algorithm, subject/issuer name, validity period, and MD5 fingerprint information. Output pertaining to different certificates are separated by a string of dashes.

Example 8-2 ctacert --list command output on Mac OS X
Hashed Name: 5e8a8166.0
Certificate:
	Data:
		Version: 3 (0x2)
		Serial Number: 1 (0x1)
		Signature Algorithm: sha1WithRSAEncryption
		Issuer: CN=Cisco Systems
		Validity
			Not Before: Jul 19 15:12:24 2006 GMT
			Not After : Jul 19 15:12:24 2007 GMT
		Subject: CN=Cisco Systems
			X509v3 extensions:
				X509v3 Basic Constraints: 
					CA:TRUE
				X509v3 Key Usage: 
					Digital Signature, Key Encipherment, Key Agreement, Certificate Sign
				X509v3 Subject Key Identifier: 
					B5:79:DE:6A:C7:42:47:25:42:BC:68:43:93:04:69:2E:9B:08:0E:64
				X509v3 Extended Key Usage: 
					TLS Web Server Authentication
				Netscape Cert Type: 
					SSL Server
Deleting Certificates from the Certificate Store

The ctacert utility can be used on Linux and Mac OS X to delete certificates in the client certificate store. Use the Microsoft's Certificate Management interface to perform this task on Windows operating systems.

Deleting a Certificate from the Certificate Store on Linux Operating Systems

Step 1 Open a terminal window on the network client.

Step 2 From any prompt, enter either of these commands and press <Enter>.

•ctacert -d HASHED-CERT-FILENAME

•ctacert --delete HASHED-CERT-FILENAME

The hashed-cert-file-name can be obtained from the ctacert --list output. In Example 8-1, the hashed certificate file name is 814661db.0.

For example:

ctacert -d 814661db.0

Note The hashed file name for a certificate may change when other certificates are removed.

Step 3 When prompted, type y to confirm your desire to delete the certificate.

Deleting a Certificate from the Certificate Store on Mac OS X Operating System

Step 1 Open a terminal window on the network client.

Step 2 Change the directory to /opt/CiscoTrustAgent/bin directory.

Step 3 At the prompt enter either of these commands and press <Enter>.

•sudo ./ctacert -d HASHED-CERT-FILENAME

•sudo ./ctacert --delete HASHED-CERT-FILENAME

The hashed-cert-file-name can be obtained from the ctacert --list output. In Example 8-1, the hashed certificate file name is 814661db.0.

For example:

# sudo ./ctacert -d 814661db.0

Step 4 When prompted, type the root user's password.

Step 5 When prompted, type y to confirm your desire to delete the certificate.

Note The hashed file name for a certificate may change when other certificates are removed.

Clearing Certificates from the Certificate Store

The ctacert utility can be used on Linux and Mac OS X to clear all the certificates in the client certificate store. Use the Microsoft's Certificate Management interface to perform this task on Windows operating systems.

Clearing All Certificates from the Certificate Store on Linux Operating Systems

Step 1 Open a terminal window on the network client.

Step 2 From any prompt enter either of these commands:

•ctacert -c

•ctacert --clear

Clearing All Certificates from the Certificate Store on Mac OS X Operating Systems

Step 1 Open a terminal window on the network client.

Step 2 Change the directory to /opt/CiscoTrustAgent/bin directory.

Step 3 At the prompt enter either of these commands and press <Enter>.

•sudo ./ctacert -c

•sudo ./ctacert --clear

Step 4 When prompted, type the root user's password.

Step 5 When prompted, type y to confirm your desire to clear the certificate store.

Configuring Machine Authentication Using Certificates

CTA can be configured to perform machine authentication using certificates provided that the 802.1x Wired Client has been installed. All IEEE 802.1x authentication methods are currently only supported on Windows platforms. See "System Requirements for Installation" section on page 4-2 for the complete list of supported platforms.

To configure CTA to perform machine authentication using certificates, you must perform these procedures:

Step 1 Installing or Updating a Certificate on Windows Operating Systems

Step 2 Requesting the Machine Certificate for Machine Authentication

Step 3 Deploying End-User 802.1x Wired Clients, page 9-35 using the "Creating a Machine Authentication Only Deployment Package" section on page 9-40.

Requesting the Machine Certificate for Machine Authentication

Note You will need to request a machine certificate for the client if one was not issued to the client when it joined the domain.

Follow this procedure to request a certificate for machine authentication:

Step 1 As the Administrator, log on to the host on which you want to request the machine certificate.

Step 2 Open a command prompt window.

Step 3 At the prompt, type mmc and press <Enter>.

Step 4 From the File menu, select Add/Remove Snap-in.

Step 5 In the Standalone tab, click Add.

Step 6 Click the Certificates icon in the Add Standalone Snap-in window and click Add.

Step 7 Select Computer Account in the Certificates Snap-in window and click Next.

Step 8 Select Local Computer.

Step 9 Click Finish.

Step 10 Click Close.

Step 11 Click OK to close the Add/Remove Snap-in window.

Step 12 Expand the "Certificates (Local Computer) certificate icon under Console Root.

Step 13 Right-click the Personal folder, and navigate All Tasks > Request New Certificate.

Step 14 Click Next at the Welcome window.

Step 15 Select Computer and click Next.

Step 16 Enter a name for the certificate in the Friendly Name field, a description in the Description field and click Next.

Step 17 Click Finish.

Step 18 Click OK.

Configuring User Authentication Using Certificates

CTA can be configured to perform user authentication using certificates provided that the 802.1x Wired Client has been installed along with CTA. User authentication using certificates is only available on Windows platforms. See "System Requirements for Installation" section on page 4-2 for the complete list of supported platforms.

To configure CTA to perform user authentication using certificates, you must perform these procedures:

Step 1 Installing or Updating a Certificate on Windows Operating Systems

Step 2 Importing the User Certificate for User Authentication

Step 3 Deploying End-User 802.1x Wired Clients, page 9-35 using the "Creating a Machine Authentication Only Deployment Package" section on page 9-40 procedure.

Importing the User Certificate for User Authentication

Step 1 Create or obtain the user certificate.

Note As there are different vendors and methods used to create a user certificate, those procedures are not covered here. See your specific vendor's documentation for information on creating a machine certificate.

Step 2 Log on to the host, on which you want to import the user certificate, as the Administrator.

Step 3 Open a command prompt window.

Step 4 At the prompt, type mmc and press <Enter>.

Step 5 From the Console menu, select Add/Remove Snap-in.

Step 6 In the Standalone tab, click Add.

Step 7 Click the Certificates icon in the Add Standalone Snap-in window and click Add.

Step 8 Select My User Account in the Certificates Snap-in window and click Finish.

Step 9 Close the Add Standalone Snap-in window.

Step 10 Click OK to close the Add/Remove Snap-in window.

Step 11 In the MMC Console (Console1), expand the Certificates - current user folder in the directory tree in the left pane.

Step 12 Right-click the Personal folder and select All Tasks > Import from the shortcut menu.

Step 13 Use the Wizard to browse to your certificate and import it. Accept all the default settings offered to you.

Step 14 In the Certificates - Current User directory tree, open the Personal Folder and select the Certificates sub-folder. In the certificate pane, on the right, you will see the user certificate. The name of the certificate will be the full qualified domain name of the PC.

Configuring Machine and User Authentication Using Certificates

CTA can be configured to perform both machine and user authentication using certificates provided that the 802.1x Wired Client has been installed along with CTA. Authentication using both user and machine certificates is only available on Windows platforms. See "System Requirements for Installation" section on page 4-2 for the complete list of supported platforms.

Before you create a machine and user authentication policy, you must perform these procedures:

Step 1 Installing or Updating a Certificate on Windows Operating Systems

Step 2 Requesting the Machine Certificate for Machine Authentication

Step 3 Importing the User Certificate for User Authentication

Step 4 Deploying End-User 802.1x Wired Clients, page 9-35 using the Create a Machine and User Authentication Deployment Package, page 9-38.

Distinguished Name Matching

When using CA certificates to validate your Cisco Secure ACS server certificate, you can implement additional security using distinguished name (DN) matching to validate the server certificate. This prevents other servers or processes that may be using the same root certificate from gaining a trust relationship with the network client.

DN matching occurs at the end of the TLS handshake, after the certificate chain is built. Invalid DN matching rules are ignored, but logged. Matched rules are logged. Failed rules are not logged.

DN matching rules are configured in the [ServerDNVerification] section of the ctad.ini configuration file. If the [ServerDNVerification] section does not exist, or if there are no rules configured, then the DN matching feature is disabled and the system accepts connections with any validated certificate chain. Otherwise, the server certificate must match one of the DN matching rules for the connection to continue.

If the configuration file does not exist, the default values for these settings are used. To change the value for any of these items, you need to create the configuration file and save it to the appropriate location.

Any changes made to the [ServerDNVerification] section of the ctad.ini configuration file are detected and are implemented by Cisco Trust Agent the next time DN matching occurs.

To learn more about configuring Domain Name matching in the ctad.ini file, see "Certificate Distinguished Name Matching" section on page 5-25.

Converting DER Formatted Certificates to PEM Formatted Certificates

On Linux and Mac OS X platforms, CTA supports PEM wrappered Base-64 certificates but not DER encoded binary X.509 certificates. However DER certificates can be converted to PEM certificates using the following procedure. (For the sake of this procedure, assume that the name of the DER formatted certificate is ca.der.)

Note This procedure requires that OpenSSL is installed on the workstation.

Step 1 Log in to the Linux workstation as the root user.

Step 2 Open a terminal window.

Step 3 At the prompt, type the following:

openssl x509 -inform DER -outform PEM -in ca.der -out ca.pem