Cisco Systems 3.3 Server User Manual


 
10-39
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
Cisco Secure ACS Certificate Setup
How you edit your CTL determines the type of trust model you have. Many use a
restricted trust model wherein very few, privately controlled CAs are trusted. This
model provides the highest level of security but restricts adaptability and
scalability. The alternative, an open trust model, allows for more CAs or public
CAs. This open trust model trades increased security for greater adaptability and
scalability.
We recommend that you fully understand the implications of your trust model
before editing the CTL in Cisco Secure ACS.
Use this procedure to configure CAs on your CTL as trusted or not trusted. Before
a CA can be configured as trusted on the CTL, you must have added the CA to the
local certificate storage; for more information, see Adding a Certificate Authority
Certificate, page 10-37. If a user’s certificate is from a CA that you have not
specifically configured Cisco Secure ACS to trust, authentication fails.
To edit the CTL, follow these steps:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Cisco Secure ACS Certificate Setup.
Step 3 Click Edit Certificate Trust List.
The Edit the Certificate Trust List (CTL) table appears.
Warning
Adding a public CA, which you do not control, to your CTL, may reduce your
system security.
Step 4 To configure a CA on your CTL as trusted, select the corresponding check box.
Tip You can select, or deselect, as many CAs as you want. Deselecting a CA’s
check box configures the CA as not trusted.
Step 5 Click Submit.
Cisco Secure ACS configures the specified CA (or CAs) as trusted or not trusted
in accordance with selecting or deselecting check boxes.