Home > General Administration > Other Topics > Certificate Requirements for TLS

Certificate Requirements for TLS

Transport Layer Security (TLS) is used to encrypt communication between Cisco Meraki devices and a Domain Controller or identity server (running Active Directory or LDAP services). TLS is a prerequisite to the following configurations:

TLS is also a prerequisite for MS-CHAPv2 with RADIUS.

To use TLS, a certificate with the appropriate parameters must be installed on the Domain Controller. This article outlines the necessary certificate parameters for TLS.

Adding a Certificate

Though an existing certificate can be modified to meet the parameters outlined below, a self-signed certificate can easily be configured and used for TLS.

It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.

 

Please refer to our documentation for instructions to add a self-signed certificate in Windows Server.

For RADIUS servers or other identity providers, please refer to your server provider's documentation for configuration steps.

Configuring a Certificate for TLS

The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.

Under the General tab, check for the following attributes:

  • The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: "You have a private key that corresponds to this certificate".
  • Verify that the following statement appears: "This certificate is intended for the following purpose(s): Proves your identity to a remote computer". 
  • Check that the certificate is still valid, based on the "Valid from" values.

161660e9-4ca1-463e-83d2-0a501dec663d

 

Under the Details tab:

  • The Version value must contain "v3", indicating that it is an X.509 Version 3 certificate.

027016df-3566-4d53-b2f3-d800f475ceb7

 

  • The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").

4cec2a3f-3bff-4a0b-b837-eeba0aeb523a

 

  • The Subject value must contain the Fully Qualified Domain Name of the RADIUS server, e.g. myserver.mydomain.com. 
  • The Public key value should be set to "RSA (2048 Bits)".

2fb213d1-e1a9-47d6-9c7c-7f0c5f65dbdf

 

  • The "Subject Alternative Name" value must contain the syntax "DNS Name=myserver.mydomain.com" where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.

97a65a90-13d1-4cda-964f-64c09d2373be

 

  • The Key usage must contain the "Digital Signature" and "Key Encipherment" values.
    Note: In Server 2012, this option may be available as "Data Encipherment."

9ace3db0-f596-4c47-b9a9-7e0bd9a1d496

Additional Resources

For more information on digital certificates, please see Microsoft's KB regarding Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

For a general understanding of EAP-TLS or PEAP, please refer to documentation about the Extensible Authentication Protocol.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1706

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community