Editing The Certificate Trust List - Cisco 2509 - Router - EN User Manual

Chapter 8 Establishing Cisco Secure ACS System Configuration

Editing the Certificate Trust List

Note
78-14696-01, Version 3.1
To use this new CA certificate to authenticate users, you must edit the
Tip
certificate trust list to signify that this CA is trusted. For more
information, see
Cisco Secure ACS uses the CTL to verify the client certificates. For a CA to be
trusted by Cisco Secure ACS, its certificate must be installed, and the
Cisco Secure ACS administrator must explicitly configure the CA as trusted by
editing the CTL.
The single exception to the requirement that a CA must be explicitly signified as
trustworthy occurs when the clients and Cisco Secure ACS are getting their
certificates from the same CA. You do not need to add this CA to the CTL because
Cisco Secure ACS automatically trusts the CA that issued its certificate.
How you edit your CTL determines the type of trust model you have. Many use a
restricted trust model wherein very few, privately controlled CAs are trusted. This
model provides the highest level of security but restricts adaptability and
scalability. The alternative, an open trust model, allows for more CAs or public
CAs. This open trust model trades off increased security for greater adaptability
and scalability.
We recommend that you fully understand the implications of your trust model
before editing the CTL in Cisco Secure ACS.
Use this procedure to configure CAs on your CTL as trusted or not trusted. Before
a CA can be configured as trusted on the CTL, you must have added the CA to the
local machine certificate storage; for more information, see
Authority Certificate, page
not specifically configured Cisco Secure ACS to trust, authentication fails.
Editing the Certificate Trust List, page
8-76. If a user's certificate is from a CA that you have
User Guide for Cisco Secure ACS for Windows Server
Cisco Secure ACS Certificate Setup
8-77.
Adding a Certificate
8-77