Home > General Administration > Other Topics > Certificate Requirements for TLS

Certificate Requirements for TLS

Transport Layer Security (TLS) is used to encrypt communication between Cisco Meraki devices and a Domain Controller or identity server (running Active Directory or LDAP services). TLS is a prerequisite to the following configurations:

TLS is also a prerequisite for MS-CHAPv2 with RADIUS.

To use TLS, a certificate with the appropriate parameters must be installed on the Domain Controller. This article outlines the necessary certificate parameters for TLS.

Adding a Certificate

Though an existing certificate can be modified to meet the parameters outlined below, a self-signed certificate can easily be configured and used for TLS.

It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.

 

Please refer to our documentation for instructions to add a self-signed certificate in Windows Server.

For RADIUS servers or other identity providers, please refer to your server provider's documentation for configuration steps.

Configuring a Certificate for TLS

The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.

Under the General tab, check for the following attributes:

  • The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: "You have a private key that corresponds to this certificate".
  • Verify that the following statement appears: "This certificate is intended for the following purpose(s): Proves your identity to a remote computer". 
  • Check that the certificate is still valid, based on the "Valid from" values.

161660e9-4ca1-463e-83d2-0a501dec663d

 

Under the Details tab:

  • The Version value must contain "v3", indicating that it is an X.509 Version 3 certificate.

027016df-3566-4d53-b2f3-d800f475ceb7

 

  • The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").

4cec2a3f-3bff-4a0b-b837-eeba0aeb523a

 

  • The Subject value must contain the Fully Qualified Domain Name of the RADIUS server, e.g. myserver.mydomain.com. 
  • The Public key value should be set to "RSA (2048 Bits)".

2fb213d1-e1a9-47d6-9c7c-7f0c5f65dbdf

 

  • The "Subject Alternative Name" value must contain the syntax "DNS Name=myserver.mydomain.com" where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.

97a65a90-13d1-4cda-964f-64c09d2373be

 

  • The Key usage must contain the "Digital Signature" and "Key Encipherment" values.
    Note: In Server 2012, this option may be available as "Data Encipherment."

9ace3db0-f596-4c47-b9a9-7e0bd9a1d496

Additional Resources

For more information on digital certificates, please see Microsoft's KB regarding Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

For a general understanding of EAP-TLS or PEAP, please refer to documentation about the Extensible Authentication Protocol.

You must to post a comment.
Last modified
17:00, 22 Dec 2016

Tags

Classifications

This page has no classifications.

Article ID

ID: 1706

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community