The NAC appliance Internal Communications server uses a private key and server certificate to provide secure communication between the appliance and the NetSight server, other NAC appliances, and NAC assessment servers. It also provides secure communication for the NAC administrative web pages and with the assessment agent. The Internal Communications Server Certificate window lets you replace the server private key and server certificate. You can access this window from the Manage Appliance Certificates window.
During installation, NetSight generates a unique private server key and server certificate for the Internal Communications server. While these provide secure communication, there may be cases where you want to update the Internal Communications server certificate to a custom certificate provided from an external certificate authority, or add certificates in order to meet the requirements of external components with which NAC must communicate. Additionally, you may want to use a "browser-friendly" certificate so that users don't see browser certificate warnings when they access administrative web pages. For complete instructions on replacing and verifying the certificate, see How to Update NAC Appliance Server Certificates.
After you have updated the certificate, you must enforce the appliance to deploy the new private key and server certificate. When enforced, the server's secure port 8444 will be offline for 15 seconds to reload the certificate. Additionally, if the Agent-Based Assessment Server Certificate is configured to use the Internal Certificate (in the Manage Appliance Certificates window), port 8443 will be offline for 15 seconds.
| NOTE: | Whenever the Internal Communications server certificate is changed, other NetSight components may be affected by the change and stop trusting the server. You can specify how other servers will handle updated certificates by configuring the server trust mode settings. Before updating the Internal Communications server certificate, be sure that the server trust modes are configured to trust the new certificate. For more information, see the Suite-Wide Tools Server Information Help topic Update Server Certificate Trust Mode Window. |
|---|
Click areas in the window for more information.
- Select the type of certificate replacement
- You can select from two types of certificate replacement:
- Generate a new unique private key and certificate. This option allows you to automatically generate a new private key and certificate using the same method that is used when NAC is installed.
- Provision a new private key and certificate from files. This option lets you update the server certificate to a custom certificate provided from an external certificate authority. For complete instructions on replacing and verifying the certificate using this option, see How to Update NAC Appliance Server Certificates.
- Private Key
- Provide a file containing the RSA or DSA private key that corresponds to the certificate. It must be encoded as a PKCS #8 file. Enter the path name of the file or use the Browse button to navigate to the file. If the file is encrypted with a password, check the password box and supply the password in the field. If you do not have the private key, refer to the instructions for generating them.
- Certificate Files
- Use the Add Files button to add one or more certificate files as provided by the certificate authority. This includes the server certificate, as well as any intermediate or chained certificates. You can multi-select files in the file chooser window, and the files can be added in any order.
For information on related windows:
