How to Validate Certificates for TLS

Last updated
Save as PDF

Overview

Transport Layer Security (TLS) encrypts communication between Cisco Meraki devices and a Domain Controller or identity server running Active Directory or LDAP services. TLS is a prerequisite for the following configurations:

Active Directory-based group policy mappings

Client VPN authentication with Active Directory (applies to L2TP and AnyConnect)

Splash Page authentication with Active Directory

Local authentication – MR 802.1x

MS-CHAPv2 with RADIUS

To use TLS, add a certificate with the appropriate parameters on the Domain Controller. This article outlines the necessary certificate parameters for TLS.

Prerequisites

Ensure you have the following, before you validate a certificate for TLS:

A Domain Controller or identity server

A certificate that meets the parameters outlined in this guide

Step-by-step instructions

Adding a certificate

To configure TLS, either modify an existing certificate to meet the parameters outlined in this article or configure a self-signed certificate.

While you can use self-signed certificates for testing, do not use them in production environments. A Certificate Authority (CA) signed certificate is the industry best practice.

For RADIUS servers or other identity providers, refer to your server provider's documentation for configuration steps.

Validate a Certificate for TLS

The following pointers describe certificate parameters used in Windows Server, but you can generalize them to any certificate's parameters.

General Tab Attributes

Under the General tab, verify the following attributes:

The server has the corresponding private key. View the General tab of the certificate and confirm the message "You have a private key that corresponds to this certificate" appears. To verify the private key exists.

The statement "This certificate is intended for the following purpose(s): Proves your identity to a remote computer" appears.

Check that the certificate is still valid, based on the "Valid from" values.

General tab for certificate shows "This certificate is intended for the following purpose(s): Proves your identity to a remote computer". and "You have a private key that corresponds to this certificate". Valid from and to dates are shown.

Details Tab Attributes

Under the Details tab, confirm the following values:

The Version value contains "v3", indicating an X.509 Version 3 certificate.

Details tab shows version field selected, with "V3" as the value.

The Enhanced Key Usage value contains the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").

Details tab Enhanced Key Usage field has value including server authentication (1.3.6.1.5.5.7.3.1).

The Subject value contains the Fully Qualified Domain Name (FQDN) of the RADIUS server or Active Directory server, for example, myserver.mydomain.com.

The Public key value is set to "RSA (2048 Bits)".

Details tab Subject field shows example value of "CN=dc1.meraki.local". Public key field shows value of RSA (2048 Bits).

The Subject Alternative Name value contains the syntax "DNS Name=myserver.mydomain.com", where the DNS name is the FQDN of your server.

The Subject Alternative Name is especially important when using an Active Directory-based Public Key Infrastructure (PKI).

Details tab Subject Alternative Name field shows example value of "DNS Name=dc1.meraki.local".

The Key usage value contains "Digital Signature" and "Key Encipherment".

Note: In Server 2012, this option may appear as "Data Encipherment".

Details tab Key Usage field shows value containing Digital Signature, Key Encipherment.

Additional Resources

For more information on digital certificates, please see Microsoft's KB regarding Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

For a general understanding of EAP-TLS or PEAP, please refer to documentation about the Extensible Authentication Protocol.