Cisco VPN Client

Cisco VPN Client 4.0.x with a Certificate Stored on the Gemplus Smart Card System

Document ID: 24144

Updated: Jan 14, 2008



Starting with version 3.5, the VPN Client supports authentication with digital certificates through a smart card or an electronic token. Several vendors provide smart cards and tokens. The VPN Client works only with smart cards and tokens that support CRYPT_NOHASHOID. For a complete description of this feature, please refer to Configuring the VPN Client.

The example in this document shows you how to use the Gemplus Smart Card System with the Cisco VPN Client.



Before attempting this configuration, ensure that you have these components installed on your PC:

  • GemSAFE Libraries

  • Smart card

  • Smart card reader

  • Cisco VPN Client

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco VPN Client version 4.0.3

  • Gemplus GenPC433 (smart card reader)

  • GemSAFE 16K Smart Card

  • GemSAFE Libraries 3.2.2

  • Microsoft Win2K Certificate Server

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Installing the Client Certificate

Follow these steps to install the client certificate.

  1. Open up a browser window and browse to the certificate server. Select Request a Certificate, and then click Next.


  2. Select Advanced request, and then click Next.


  3. Select Submit a certificate request to this CA using a form, and then click Next.


  4. Type your information into the form.

    • Under Identifying Information, the Department field should contain the group name configured on the VPN server.

    • Under Key Options, select the correct CSP.

    When you are finished, click Submit.

    This example uses "Gemplus GemSAFE Card CSP."



  5. When you receive the warning message about a potential scripting violation, click Yes to continue installation.


  6. When prompted, type your PIN and click OK to access the GemSAFE smart card.


  7. When you receive the warning message about a potential scripting violation, click Yes to continue installation.


  8. Click Install this Certificate to install a root certificate on the PC.

    Note: Your screen may flicker when the certificate is saved on the smart card.


  9. Click Yes to add the root certificate to the Root Store.


  10. When the installation is complete, you should receive a confirmation screen.


Configuring the VPN Client

Follow these steps to configure the VPN Client.

  1. Launch the Cisco VPN Client.

  2. Go to Connection Entries > New to make a new entry.


  3. Type the connection details.

    • Type a name for the connection entry, a description, and a host address.

    • On the Authentication tab, select Certificate Authentication and choose the certificate obtained from enrollment.

    When you are finished, click Save to add the connection to your connection entries.



  4. On the Connection Entries tab, select the entry you created, and then go to Connection Entries > Connect to entry_name .


  5. When prompted, type your PIN and click OK to access the GemSAFE smart card.


  6. When prompted, type your username and password to authenticate to the VPN Client.


Gemplus GemSAFE Card Tool

The GemSAFE Library version 3.2.2 comes with a tool you can use called the GemSAFE Card Detail Tool. For more information about Gemplus, please visit the Gemplus website

  1. When you run the GemSAFE Card Detail Tool for the first time with a smart card installed on the reader, you must go to Card > Select Card to view a card.


  2. When prompted, type your PIN and click Verify to view card details.


  3. Go to Card > Information to view any certificate installed on the smart card.





    Note: You should be able to use the smart card on any other computer that has a corresponding reader and driver installed. To use the certificates on the smart card on another computer, use the GemSAFE Card Details Tool and select Card > Register Certificates.

    Note: You must have the corresponding certificate authority (CA) root certificate installed on the PC to successfully use the certificate on the smart card.


There is currently no verification procedure available for this configuration.


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 14, 2008
Document ID: 24144