8-77
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 8 Establishing Cisco Secure ACS System Configuration
Cisco Secure ACS Certificate Setup
Tip
To use this new CA certificate to authenticate users, you must edit the
certificate trust list to signify that this CA is trusted. For more
information, see
Editing the Certificate Trust List, page 8-77
.
Editing the Certificate Trust List
Cisco Secure ACS uses the CTL to verify the client certificates. For a CA to be
trusted by Cisco Secure ACS, its certificate must be installed, and the
Cisco Secure ACS administrator must explicitly configure the CA as trusted by
editing the CTL.
Note
The single exception to the requirement that a CA must be explicitly signified as
trustworthy occurs when the clients and Cisco Secure ACS are getting their
certificates from the same CA. You do not need to add this CA to the CTL because
Cisco Secure ACS automatically trusts the CA that issued its certificate.
How you edit your CTL determines the type of trust model you have. Many use a
restricted trust model wherein very few, privately controlled CAs are trusted. This
model provides the highest level of security but restricts adaptability and
scalability. The alternative, an open trust model, allows for more CAs or public
CAs. This open trust model trades off increased security for greater adaptability
and scalability.
We recommend that you fully understand the implications of your trust model
before editing the CTL in Cisco Secure ACS.
Use this procedure to configure CAs on your CTL as trusted or not trusted. Before
a CA can be configured as trusted on the CTL, you must have added the CA to the
local machine certificate storage; for more information, see
Adding a Certificate
Authority Certificate, page 8-76
. If a user’s certificate is from a CA that you have
not specifically configured Cisco Secure ACS to trust, authentication fails.