Table Of Contents
Managing Certificates and Key Pairs
Understanding Public Key Infrastructure
Configuring Keys and Certificates
Certificate Wizards
Managing Certificates
Viewing Certificate Trustpoints
Certificate Trustpoint Grouper
Certificate Trustpoint Details
Generating Certificate Signing Requests
Authenticating the CA
Authenticating the CA and Importing SSL Certificates
Importing SSL Certificates
Regenerating Keys and CSR
Exporting Certificates and Private Key
Using the Certificate Export Wizard
Specifying Certificate Format and Destination
Specifying Certificates and Private Key Files (Local Hard Disk)
Specifying Certificates and Private Key Files (Remote System)
Certificate Export Wizard Summary
Certificate Export Status
Editing a Trustpoint Configuration
Selecting Available Key Pairs
Certificate Hierarchy
Deleting Certificates
Challenge Password
Managing Key Pairs
Understanding Key Pairs
Viewing Key Pairs
Adding Key Pairs
Deleting Key Pairs
Key Pair Wizards
Key Pair Import Wizard
Specify Key Pair Name and Source
Public and Private Keys (Local Hard Disk)
Public and Private Keys (Copy and Paste)
Public and Private Keys (Remote System)
Key Pair Export Wizard
Key Pair Destination
Destination Files and Encryption Parameters (Local Hard Disk)
Encryption Parameters (Copy and Paste)
Destination Files and Encryption Parameters (Remote System)
Key Pair Wizard Summary
Key Pair Wizard Status
Managing Certificates and Key Pairs
This chapter discusses the following topics:
•
Understanding Public Key Infrastructure
•Configuring Keys and Certificates
•Managing Certificates
•Managing Key Pairs
Understanding Public Key Infrastructure
Public-key infrastructure (PKI) is a system that manages encryption keys and identity information for the human and mechanical components of a network that participate in secured communications. The WebVPN Services Module uses the Secure Socket Layer (SSL) protocol to enable secure transactions of data through privacy, authentication, and data integrity; the protocol relies upon certificates, public keys, and private keys.
The certificates, which are issued by certification authorities and are similar to digital ID cards, verify the identity of the server to the clients and the clients to the server. The certificates include the name of the entity to which the certificate was issued, the entity's public key, and the time stamp that indicates the certificate's expiration date.
Public and private keys are the ciphers that are used to encrypt and decrypt information. The public key is shared without any restrictions, but the private key is never shared. Each public-private key pair works together; data that is encrypted with the public key can only be decrypted with the corresponding private key.
Each WebVPN module supports up to 64 gateways. Each gateway acts as an HTTPS server. You must configure a pair of keys for each gateway in order to apply for a certificate for authentication.
We recommend that the certificates be stored in NVRAM so the module does not need to query the CA at startup to obtain the certificates or to automatically enroll.
When users try to access an HTTPS site through the gateway portal page, the WebVPN Services Module acts as an SSL client and needs to authenticate the certificate that it received from that site. The start time, end time, and the signature on the certificate are validated.
A valid certificate may have been revoked if the key pair has been compromised. If revocation check is necessary, the WebVPN Services Module downloads the certificate revocation list (CRL) from the CA and looks up the serial number of the certificate received.
Note Only the certificate is authenticated, not the sender of the certificate. As part of the SSL handshake, the certificate sender is challenged for ownership of the private key that corresponds to the public key published in the certificate. If the challenge fails, the SSL handshake is aborted by the WebVPN Services Module.
Configuring Keys and Certificates
You can configure keys and certificates using one of the following methods:
•If you are using Simple Certificate Enrollment Protocol (SCEP), configure the keys and certificates by doing the following:
1. Generate a key pair.
2. Declare the Trustpoint.
3. Get the CA certificate.
4. Send an enrollment request to a CA on behalf of the SSL server.
See "Using Wizards", for details.
•If you are not using SCEP, configure the keys and certificates using the manual certificate enrollment (TFTP and cut-and-paste) feature by doing the following:
1. Generate or import a key pair.
2. Declare the Trustpoint.
3. Get the CA certificate and enroll the Trustpoint using TFTP or cut-and-paste to create a CSR (PKCS10) file.
4. Request the SSL server certificate offline using the PKCS10 package.
5. Import the SSL server certificate using TFTP or cut and paste.
See "Using Wizards", for details.
•If you are using an external PKI system, do the following:
1. Generate PKCS12 or privacy enhanced mail (PEM) files.
2. Import this file to the module.
See "Using Wizards", for details.
An external PKI system is a server or a PKI administration system that generates key pairs and enrolls for certificates from a CA or a key and certificate archival system. The Public-Key Cryptography Standards (PKCS) specify the transfer syntax for personal identity information, including the private keys and certificates. This information is packaged into an encrypted file. To open the encrypted file, you must know a pass phrase. The encryption key is derived from the pass phrase.
Note You do not need to configure a Trustpoint before importing the PKCS12 or PEM files. If you import keys and certificates from PKCS12 or PEM files, the Trustpoint is created automatically, if it does not already exist.
Certificate Wizards
The certificate setup wizards help you to configure certificates and keys. You can generate a Certificate Signing Request (CSR), enroll with a CA, import certificates and Private Key to a WebVPN Service Module, and export certificates and private Key from a WebVPN Service Module using wizards.
See "Using Wizards", for details.
Managing Certificates
A Trustpoint is an association of a CA Certificate, an RSA Key pair, and the corresponding SSL client and server certificate.
The following topics are described in this section:
•Viewing Certificate Trustpoints
•Certificate Trustpoint Details
•Editing a Trustpoint Configuration
•Certificate Hierarchy
•Deleting Certificates
Viewing Certificate Trustpoints
The Certificate Trustpoint page shows all certificate Trustpoints configured on the WebVPN Services module.
Figure 4-1 Certificate Trustpoints
Step 1 Click Setup from the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the Selector. The following information is displayed for Trustpoints.
Field
|
Description
|
Trustpoints
|
Trustpoint Name
|
The name of the Trustpoint associated with the key pair.
|
CA Name
|
CA associated with the Trustpoint.
|
Subject Name
|
Subject name in the SSL certificate associated with the Trustpoint.
|
Expiry Date
|
The expiry date of the SSL certificate or the CA certificate whichever expires earlier.
|
Status
|
Status of the associated CA certificate.
•A  icon indicates that the certificate is valid.
•A  icon indicates that the certificate invalid.
•A  icon indicates that the certificate is valid only for 10 days or fewer.
•A  icon indicates that the certificate is valid only for 20 days or fewer.
•A  icon indicates that the certificate is valid only for 30 days or fewer.
Status will be displayed only for Trustpoints with Certificates.
|
Step 2 Select a Trustpoint name from the table to view the following Trustpoint status details.
Field
|
Description
|
Trustpoint
|
The Trustpoint name. Click on the link to view details on the Trustpoint.
|
CA Certificate
|
Status
|
Status of the CA certificate.
•A icon indicates that the certificate is valid.
•A icon indicates that the certificate invalid.
•A icon indicates that the certificate is valid only for 10 days or fewer.
•A icon indicates that the certificate is valid only for 20 days or fewer.
•A icon indicates that the certificate is valid only for 30 days or fewer.
|
CA Name
|
Subject of the CA Certificate.
|
SSL Certificate
|
Status
|
Status of the SSL certificate.
|
Subject Name
|
Subject of the SSL certificate.
|
Keypair Name
|
Key pair to which the Trustpoint is associated.
|
Certificate Chain
|
Status
|
Status of the certificate chain.
|
Chain Length
|
Number of certificates in a chain.
|
You can launch wizards to configure a Trustpoint. To launch the wizard, click Setup Wizard, then select one of the following options:
•Configure a Certificate Trustpoint...
•Import Certificates and Private Key...
Select a Trustpoint, then click Delete to delete a Trustpoint.
Certificate Trustpoint Grouper
You can group Trustpoints based on different common parameters.
Step 1 Select one of the options:
•Group by Enrollment Status—to group Trustpoints based on the enrollment status. The Trustpoints are displayed under the following groups.
–SSL Certificates—all Trustpoints that have an SSL certificate.
–Enrollment Pending—all Trustpoints that have a CA certificate and key pair configured but do not have an SSL certificate.
–CA Certificates—all Trustpoints that have a CA certificate configured but the key pair is not configured. All the CA Trustpoints will be grouped under this group.
–No Enrollment Configuration—all Trustpoints that do not have any enrollment configured associated with it.
•Group by Expiry—to group Trustpoints based on the expiry date. The Trustpoints are displayed under groups starting with the Trustpoints expiring this month, then next month and so on.
•Group by CA—to group Trustpoints by CA.
•No Grouping—to list all Trustpoints without any group.
Based on your selection, Trustpoints are grouped under the Trustpoints node in the Selector.
Certificate Trustpoint Details
You can view the details of a selected Trustpoint in the Certificate Trustpoint details window.
Figure 4-2 Trustpoint Details
Step 1 Click Setup from the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Trustpoints using Trustpoint Grouper. For more information, see Certificate Trustpoint Grouper.
Step 3 Click the Configuration tab. The following fields are displayed.
Field
|
Description
|
Trustpoint Name
|
The name of the Trustpoint.
|
Key Pair Name
|
The key pair associated with the Trustpoint.
|
Certificate
|
Subject Name
|
Subject name of the certificate.
|
IP Address
|
The IP address of the module.
|
Certificate Purpose
|
The purpose of the certificate.
|
Include WebVPNSM Serial Number in Subject Name
|
Select this option to include the CVDM-WebVPNSM serial number in the subject name.
|
Enrollment
|
Enrollment Method
|
The enrollment method for the certificate.
|
CA Server URL
|
The URL of the CA server.
|
Retry Count
|
Specifies the number of retry attempts to enroll the certificate.
|
Retry Period (min)
|
Duration between retries, in minutes.
|
Auto Renewal and Enrollment
|
Indicates whether auto-renewal and enrollment are enabled for the certificate.
|
Renewal Percent
|
Percentage of certificates renewed.
|
Regenerate keys on auto enrollment
|
Indicates whether the certificate regenerates keys on auto-enrollment.
|
CRL
|
X 500 CDP Information
|
X 500 CDP information for the certificate Trustpoint.
|
CRL Verification
|
Effectiveness with which the CRL has to be validated.
Values are:
•Default—If the Trustpoint has been selected to validate a certificate. If the CRL is not in the database or has expired, the WebVPN module downloads a CRL and saves it to the database for later use. If the CRL download fails, the WebVPN module rejects the certificate being validated.
•Optional—If the WebVPN module finds a CRL in the database and the CRL has not expired, then the WebVPN module performs a CRL lookup. If the WebVPN module does not find a CRL, it accepts the certificate. The WebVPN module makes no attempt to download a CRL.
•Best-effort—If the WebVPN module finds a CRL in the database and the CRL has not expired, then the WebVPN module performs a CRL lookup. If the WebVPN module does not find a CRL, it attempts to download a CRL. However, if the CRL download fails, the WebVPN module accepts the certificate.
|
•To view SSL certificate details, click the Certificate tab.
•To view CA Certificate details, click the CA Certificate tab.
•To view certificate chain details, click the Certificate Chain tab. The certificate chain is displayed in tree format. Each node displays the subject of the certificate. You can view the details of each certificate on the chain. The following fields are displayed.
Field
|
Description
|
Status
|
Indicates the status of the selected certificate chain.
•A  icon indicates that the certificate chain is complete.
•A  icon indicates that the certificate chain is incomplete.
Example: Certificate chain is complete - CA
certificate is the Root.
|
Certificate Details
|
Certificate
|
Shows the details of the certificate including the details on how long the certificate is valid.
Other details include:
•Version and serial number
•Issuer
•Subject
•Subject Public Key Information
|
Associated Trustpoint
|
The name of the Trustpoint associated with the certificate.
|
Trustpoint name
|
Click on the Trustpoint name to view the Trustpoint details.
|
Click Operations and select any one of the following Trustpoint operations:
Trustpoint Operation
|
Description
|
Generate Certificate Signing Request (CSR)
|
Select this option to create a certificate request. You must configure the enrollment method and key pair to perform this operation.
For manual enrollment methods (copy and paste/TFTP) a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
For SCEP enrollment, you must configure a Challenge Password. If a password is not configured, a challenge password dialog box will appear.
|
Authenticate CA
|
Select this option to authenticate a CA certificate. You must configure the enrollment method for the Trustpoint to perform this operation.
For more information on authenticating a Trustpoint, see Authenticating the CA.
|
Authenticate CA and Import SSL Certificate
|
Select this option to authenticate a CA certificate and import an SSL certificate issued by the CA for manual enrollment (copy and paste/TFTP).
|
Import SSL Certificate
|
Select this option to import an SSL certificate issued by the CA for manual enrollment (copy and paste/TFTP).
For more information on authenticating a Trustpoint, see Importing SSL Certificates.
|
Export Certificates and Private Key
|
Select this option to export the certificate and private key associated with the Trustpoint. You can export the certificate only if the private key is exportable.
For more information on exporting a certificate, see Exporting Certificates and Private Key.
|
Regenerate Keys and CSR
|
Select this option to create a new certificate request. You can optionally regenerate the keys when creating the certificate request.
For manual enrollment methods, a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
This option is enabled only for Trustpoints with an SSL certificate.
For more information on authenticating a Trustpoint, see Regenerating Keys and CSR.
|
•To edit the Trustpoint configuration, click Edit. For more information on editing Trustpoints, see Editing a Trustpoint Configuration
•To delete the Trustpoint click Delete.
Generating Certificate Signing Requests
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the certificate Trustpoints using Grouper. The Trustpoint Details dialog box appears with the configuration information.
Step 3 Click Operations, then select Generate CSR.
•For copy and paste enrollment method the certificate request will be displayed in a pop-up dialog. You should copy the certificate request and submit it to the CA for enrollment.
•For TFTP method certificate request will be copied to TFTP server specified in enrollment URL
•For SCEP method certificate request will be sent to SCEP server specified in enrollment URL.
Authenticating the CA
The Trustpoint Operation Authenticate CA dialog box provides the authentication details and the status.
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Trustpoints using Trustpoint Grouper. The Trustpoint details dialog box appears with the configuration information.
Step 3 Click Operations, then select Authenticate CA.
•For copy and paste enrollment method a pop-up dialog will be displayed. Copy and paste the CA certificate in this dialog.
•For TFTP method, CA certificate will be downloaded from the TFTP server configured in the enrollment URL.
•For SCEP method, the CA certificate is downloaded from SCEP server configured in the enrollment URL.
Authenticating the CA and Importing SSL Certificates
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the certificate Trustpoints using Grouper. The Trustpoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Authenticate CA and Import SSL Certificate.
•For copy and paste enrollment method a pop-up dialog will be displayed. Copy and paste the CA certificate and SSL certificate in this dialog.
•For TFTP method, CA certificate and SSL certificate will be downloaded from the TFTP server configured in the enrollment URL.
•For SCEP method, the CA certificate and SSL certificate is downloaded from SCEP server configured in the enrollment URL.
Importing SSL Certificates
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Trustpoints using Grouper. The Trustpoint details dialog box appears with the configuration information.
Step 3 Click Operations, then select Import SSL Certificate.
•For copy and paste enrollment method the certificate request will be displayed in a pop-up dialog. Copy and paste the SSL certificate in this dialog.
•For TFTP method, SSL certificate will be downloaded from the TFTP server configured in the enrollment method.
•For SCEP method, the SSL certificate is downloaded from SCEP server configured in the enrollment URL.
Regenerating Keys and CSR
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the certificate Trustpoints using Grouper. The Trustpoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Regenerate Keys and CSR. The Regenerate Keys and CSR popup dialog box appears with the following fields.
GUI Element
|
Description
|
Regenerate check box
|
Select the check box to regenerate the keys.
|
Key Pair Name
|
Name of the key pair.
|
Usage
|
Describes the use of the key.
Example: General Purpose.
|
Key Size (bits)
|
Size of the key in bits.
|
Exportable
|
Indicates whether you can export the key.
|
Step 4 Click OK to make changes.
•For copy and paste enrollment method the certificate request will be displayed in a pop-up dialog. You should copy the certificate request and submit it to the CA for enrollment.
•For TFTP method certificate request will be copied to TFTP server specified in enrollment URL
•For SCEP method certificate request will be copied to SCEP server specified in enrollment URL.
Exporting Certificates and Private Key
Step 1 Click Setup in the task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the certificate Trustpoints using Grouper. The Trustpoint Details dialog box appears with the configuration information.
Step 3 Click Operations, then select Export Certificates and Private Key. The Certificate Export Wizard welcome page appears.
Using the Certificate Export Wizard
This wizard lets you to export certificates and private keys to an external Public Key Infrastructure (PKI) in PKCS#12 or PEM format. This wizard will guide you through the steps based on the format and destination of the certificates and key.
Exporting certificates and private key involves the following steps:
1. Specifying certificate format and destination.
2. Specifying certificates and private key file.
Note If you are using the copy and paste method while specifying certificate format and destination, step two can be skipped.
Click Next on the Certificate Export Wizard welcome page. The Step 1 of 2: Specify Certificate Format and Destination dialog box appears.
Specifying Certificate Format and Destination
You can specify the certificate format and the destination to which you want to export the certificates using this page of the wizard.
Step 1 Select the format in which you want to export the certificate. You can export in X.509 format or PKCS#12 format.
If you select the X.509 format, the Format pane displays the following information:
GUI Element
|
Action/Description
|
Local Hard Disk radio button.
|
Select this option to export certificates and keys to this client workstation.
|
Copy and Paste radio button.
|
Select this option to export certificates and keys by copy and paste method.
|
Remote System
|
Select this option to export certificates and keys to a Remote system using TFTP, FTP, RCP or SCP.
|
Encryption
|
Specify the encryption option:
•3DES (default value)
•DES
|
Passphrase
|
Enter the passphrase.
|
Confirm Passphrase
|
Re-enter the passphrase to confirm.
|
You can select any one of the following destinations to export a certificate in X.509 format.
•Local Hard Disk—To export the certificate and private key to this client machine.
•Copy and Paste—To export the certificates and private key using copy and paste method.
•Remote System—To export the certificates and private keys to a remote system using TFTP, FTP, SCP, or RCP.
If you select the PKCS#12 format, the Format pane displays the following information.
GUI Element
|
Action/Description
|
Protocol
|
Select a protocol to export the files from the drop-down list. (TFTP, FTP,RCP, SCP)
|
IP address
|
IP address of the remote system.
|
Username
|
Enter the username if you have selected the FTP, RCP or SCP protocols.
|
Password
|
Enter the password if you have selected the SCP or FTP protocols.
|
PKCS#12 File
|
Specify the destination PKCS#12 file on a remote system.
|
PKCS#12 Passphrase
|
Enter the PKCS#12 passphrase.
|
Confirm Passphrase
|
Re-enter the PKCS#12 passphrase to confirm.
|
Step 2 Click Next.
Specifying Certificates and Private Key Files (Local Hard Disk)
You can specify the certificates and the private key files which you want to export to the local hard disk using this page of the wizard. The Destination files pane displays the following information.
Field
|
Description
|
CA Certificate File
|
Click on the Browse button, browse to the appropriate location and specify the CA certificate file.
|
Private Key File
|
Click on the Browse button, browse to the appropriate location and specify the private key file.
|
SSL Certificate File
|
Click on the Browse button, browse to the appropriate location and specify the SSL certificate.
|
Click Next.
Specifying Certificates and Private Key Files (Remote System)
You can specify the certificates and the private key files which you want to export using this page of the wizard. The Destination files pane displays the following information.
Field
|
Description
|
Protocol
|
Select a protocol to export the files from the dropdown list. (TFTP, FTP, SCP, RCP)
|
IP address
|
IP address of the remote system.
|
Username
|
Enter the username if you have selected the FTP, RCP or SCP protocols.
|
Password
|
Enter the password if you have selected the SCP or FTP protocols.
|
CA Certificate File
|
Specify the destination file for CA certificate.
|
Private Key File
|
Specify the destination file for the private key file.
|
SSL Certificate File
|
Specify the destination file for SSL Certificate file.
|
Click Next.
Certificate Export Wizard Summary
The summary page of the wizard shows you the information that you entered.
Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).
Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.
Certificate Export Status
The Certificate Export Status dialog box provides the status of certificate export tasks and indicates whether the export was successful. If a task fails, you can use the information provided for that task in order to troubleshoot the problem.
To proceed, click OK.
Editing a Trustpoint Configuration
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Certificate Trustpoints from the object selector.
Step 2 Select a Trustpoint from the table, then click Edit. The Trustpoint Edit dialog box appears with the following fields.
GUI Element
|
Action/Description
|
General
|
Trustpoint Name
|
Name of the Trustpoint. You cannot edit the value in this field.
|
Key Pair Name
|
Name of the key pair associated with the Trustpoint.
Click  and select one of the following:
•Create and use a new Key Pair
•Select an existing Key Pair
•Regenerate Key Pair
•Clear the Key Pair
|
Certificate
|
Subject Name
|
Subject Name of the certificate.
|
Unstructured Name
|
(Optional) Unstructured name of the certificate. By default, FQDN of the CVDM-WebVPNSM will be used.
|
IP Address
|
(Optional) IP Address of the CVDM-WebVPNSM gateway that will use this certificate.
|
Certificate Purpose
|
You can leave this field blank or select the purpose of the certificate from the list:
•ssl-client
•ssl-server
|
Enrollment
|
Enrollment Method
|
You can leave this field blank or select one of the following certificate enrollment methods:
•SCEP
•TFTP
•Copy and Paste
|
CA Server URL
|
Enter the enrollment URL of the certification authority server.
|
Retry Count Field
|
Enter the number of retries. Specifies the number of retry attempts to enroll the certificate.
|
Retry Period Field
|
Enter the interval between the retries.
|
HTTP Proxy Field
|
Enter the IP address of the HTTP proxy.
|
Port Field
|
Enter the port number for the HTTP proxy.
|
Auto Renewal and Enrollment check box
|
Select the check box to enable auto-renewal and enrollment.
|
Renewal Percentage (%) field.
|
Enter the percentage of renewal. Default is 100%.
|
Challenge Password field
|
Enter the Challenge Password.
Click and select one of the following options:
•Configure a Challenge Password
•Clear Challenge Password
|
Regenerate Keys on Re-Enrollment check box
|
Select this check box to regenerate key on re-enrollment.
|
CRL Configuration
|
X.500 CDP Information
|
Enter the X.500 CDP information.
You can enter the hostname and port if the CDP is in X.500 DN format. The query takes the information in the following form: ldap://hostname:[port]
For example, if a certificate being validated has the following:
•The X.500 DN is configured with CN=CRL,O=Cisco,C=US
•The associated Trustpoint is configured with crl query ldap://10.1.1.1
then the two parts are combined to form the complete URL as follows:
ldap://10.1.1.1/CN=CRL,O=Cisco,C=US.
Note The Trustpoint should be associated with the CA certificate issuer of the certificate being validated. If there is no such Trustpoint in the database, the complete URL cannot be formed, and CRL download cannot be performed.
|
CRL Validation
|
Select the type of CRL validation to be used for the certificate:
•Default—If the Trustpoint has been selected to validate a certificate. If the CRL is not in the database or has expired, the WebVPN module downloads a CRL and saves it to the database for later use. If the CRL download fails, the WebVPN module rejects the certificate being validated.
•Optional—If the WebVPN module finds a CRL in the database and the CRL has not expired, then the WebVPN module performs a CRL lookup. If the WebVPN module does not find a CRL, it accepts the certificate. The WebVPN module makes no attempt to download a CRL.
•Best-effort—If the WebVPN module finds a CRL in the database and the CRL has not expired, then the WebVPN module performs a CRL lookup. If the WebVPN module does not find a CRL, it attempts to download a CRL. However, if the CRL download fails, the WebVPN module accepts the certificate.
|
Step 3 Modify the values, then click OK.
Selecting Available Key Pairs
Step 1 From the Edit Trustpoint Configuration dialog box, click Key Pair Name ellipsis selector button. The following information appears.
Field
|
Action/Description
|
Key Pair Name
|
The name of the key pair.
|
Key Size
|
The size of the key pair.
|
Step 2 Select key pairs from the table, then click OK.
Certificate Hierarchy
Certificate hierarchy helps you to browse through the certificates imported on the CVDM- WebVPNSM and visualize the certificate hierarchy. You can also see the validity status and the certificate chain status in the certificate tree.
Figure 4-3 Certificate Hierarchy
The Associated Trustpoints table, contains hyperlinks to the associated Trustpoints. You can view and configure the Trustpoints by clicking the hyperlink.
To view the certificate hierarchy:
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Certificate Hierarchy from the object selector. The certificate tree appears in the content pane.
Step 2 Select a certificate from the certificate hierarchy tree. The details of the selected certificate are displayed in the Certificate Details box and the associated Trustpoint names appears in the Associated Trustpoint box.
Deleting Certificates
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Trustpoints from the object selector.
Step 2 Select a Trustpoint from the table.
Step 3 Click Delete.
Challenge Password
A challenge password is required for SCEP enrollment. If you have not configured a challenge password, you will be prompted to do so.
This password is necessary in the event that you ever need to revoke your certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
The Challenge Password dialog box contains two fields. Challenge Password and Confirm Password. Enter the password and confirm it. Click OK to continue.
Managing Key Pairs
The following topics are described in this section:
•Understanding Key Pairs
•Viewing Key Pairs
•Adding Key Pairs
•Deleting Key Pairs
•Key Pair Wizards
Understanding Key Pairs
RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA algorithm is widely used by certificate authorities and SSL servers to generate key pairs. Each CA and each SSL server has its own RSA key pair. The SSL server sends its public key to the CA when enrolling for a certificate. The SSL server uses the certificate to prove its identity to clients when setting up the SSL session.
Note The WebVPN Services Module supports only general-purpose keys.
When you generate general-purpose keys, only one pair of RSA keys is generated. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. We recommend that you specify a name for the key pairs.
When you generate RSA keys, you are prompted to enter a modulus length in bits. The WebVPN Services Module supports modulus lengths of 512, 768, 1024, 1536, and 2048 bits. Although you can specify 512 or 768, we recommend a minimum modulus length of 1024. A longer modulus takes longer to generate and takes longer to use, but it offers stronger security.
Viewing Key Pairs
The Key Pairs page shows all key pairs configured on a Trustpoint.
Step 1 Click Setup in the Task bar, then click Certificates in the left-most pane.
Step 2 Select Key Pairs from the object selector.
The following information is displayed for Key Pairs.
Field
|
Description
|
Name
|
Name associated with the Key pair.
|
Key Size
|
Size of the keys in bits.
Choose the size of the key modulus from the list. Supported key sizes are:
•512
•768
•1024
•1536
•2048
|
Usage
|
The purpose of the key. Only general purpose keys are supported by the WebVPNSM.
|
Generation/Import Time
|
The time when the key pair was generated or imported to the WebVPNSM.
|
Exportable
|
Check box indicating if the key pair can be exported.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Select a key pair to view details. The following details are displayed at the lower part of the content window.
Key Pair Details
Field
|
Description
|
General
|
Key Pair Name
|
Name associated with the Key pair
|
Key Size (bits)
|
Size of the keys in bits.
|
Usage
|
The purpose of the key. Only general purpose keys are generated by the WebVPNSM.
|
Generation/Import Time
|
The time when the key pair was generated or imported to the WebVPNSM.
|
Exportable
|
Check box indicating whether or not the key pair can be exported.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Associated Trustpoints
|
Trustpoint Name
|
The names of the Trustpoints to which the key pair is associated.
|
Subject Name
|
Subject name of the certificate using the key.
|
Public Key
|
The hexadecimal value of the public key.
|
•Click Add to add a new key pair.
•Select a key pair from the table, then click Delete to delete a key pair.
•Click Import to launch the Key Pair Import Wizard.
•Click Export to launch the Key Pair Export Wizard.
Adding Key Pairs
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane.
Step 2 Select Key Pairs from the object selector.
Step 3 Click Add. The Add New Key Pair dialog box appears with the following information.
Field
|
Description
|
Key Pair Name
|
Name associated with the Key pair.
|
Usage
|
The purpose of the key.
|
Key Size (bits)
|
Size of the keys in bits
Choose the size of the key modulus from the list. Supported key sizes are:
•512
•768
•1024
•1536
•2048
|
Exportable
|
Checkbox indicating if the key pair can be exported.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Step 4 Modify the appropriate values. and click OK.
Deleting Key Pairs
You can delete key pairs. Deleting a key pair will delete all certificates issued using the selected keys.
Step 1 Click Setup in the Task bar, click Certificates in the left-most pane, and select Key Pairs from the object selector.
Step 2 Select the Key Pair you want to delete and Click Delete. Key Pair Deletion confirmation box appears.
Step 3 Click Yes to delete the key pair.
Key Pair Wizards
You can import and export key pairs in privacy-enhanced mail (PEM) file format. The Key Pair wizards allows you to import and export key pairs.
This section contains the following topics:
•Key Pair Import Wizard
•Key Pair Export Wizard
Key Pair Import Wizard
The Key Pair wizard allows you to import RSA Key pairs in PEM format to WebVPNSM.
Step 1 Specify key pair name and source.
Step 2 Specify public and private keys.
Step 3 Click Finish.
Specify Key Pair Name and Source
This page of the key pair import wizard allows you to enter key pair name and the source from which the key pair has to be imported.
The following fields are displayed.
GUI Element
|
Action/Description
|
Key Pair Name
|
The name of the key pair.
|
Allow Key Pair Export check box
|
Select the check box if you want to allow key pair export.
You can specify that a key is exportable during key generation. Once the key is generated as either exportable or not exportable, it cannot be modified for the life of the key.
|
Local Hard Disk
|
Select this if you are importing key pair from a local hard disk.
|
Copy and Paste
|
Select this if you are using copy and paste to import the key pairs.
|
Remote System
|
Select this if you are importing from a remote system.
|
Public and Private Keys (Local Hard Disk)
If you select Local Hard Disk, the following fields appear.
Field
|
Description
|
Public Key File
|
The public key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Private Key File
|
The private key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Passphrase
|
The passphrase to be used to encrypt the key.
|
Public and Private Keys (Copy and Paste)
If you select Copy and Paste, the following fields appear.
Field
|
Description
|
Public Key
|
Copy-and-paste the public key here.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Private Key
|
Copy-and-paste the private key.
|
Public and Private Keys (Remote System)
If you select Remote System, the following fields appear.
Field
|
Description
|
Protocol
|
The protocol to use for the transfer.
|
IP Address
|
The IP address of the Remote System.
|
User Name
|
The user name.
|
Password
|
Password.
|
Public Key File Name
|
The absolute path of the public key file.
|
Private Key File Name
|
The absolute path of the private key file.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Key Pair Export Wizard
The Key Pair Export Wizard allows you to export an RSA key pair in PEM format.
You can export key pairs to a local hard disk or a remote system. Alternatively you can copy-and-paste the key pair values.
Step 1 Click Setup at the top of the window, click Certificates in the left-most pane, and select Trustpoints > Key Pairs from the object selector.
Step 2 Select a Key Pair from the table.
Step 3 Click Export. The Export Key Pair dialog box appears.
Step 4 Select a Destination type.
Step 5 Specify destination file names and encryption parameters. Fields in the dialog box vary according to the destination type you select.
Step 6 Click Finish to complete exporting.
Key Pair Destination
The Key Pair Destination page of the wizard allows you to select the key pair destination.
You can select any one of the destination types:
•Local Hard Disk—to export the keys to a client workstation.
•Copy-and-Paste—to copy-and-paste the public and private keys.
•Remote System—to export the keys to a remote system using TFTP, FTP, SCP, or RCP.
If you have selected Local Hard disk, next step is to specify Destination Files and Encryption Parameters (Local Hard Disk).
If you have selected Copy-and-paste, next step is to specify Encryption Parameters (Copy and Paste).
If you have selected Remote System, next step is to specify Destination Files and Encryption Parameters (Remote System).
Destination Files and Encryption Parameters (Local Hard Disk)
The Destination Files and Encryption Parameters page of the wizards allows you to enter the destination file names of the public and private key on the client station, and encryption parameters.
If you select Local Hard Disk the following fields appear.
Field
|
Description
|
Public Key File
|
The public key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Private Key File
|
The private key file you need to export. Enter the absolute path or browse and select the file from the local hard disk.
|
Encryption
|
The encryption to use for the key pair.
The following encryption algorithms are supported:
•DES—Specifies the 56-bit DES-CBC encryption algorithm.
•3DES—Specifies the 168-bit DES (3DES) encryption algorithm.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Confirm Passphrase
|
Confirm the passpharse to decrypt the key pair.
|
Enter the details, then click Next.
Encryption Parameters (Copy and Paste)
You can enter the encryption type and pass phrase to protect the private key.
The following fields appear.
Field
|
Description
|
Encryption
|
Encryption used by the key pair.
The following encryption algorithms are supported:
•DES—Specifies the 56-bit DES-CBC encryption algorithm.
•3DES—Specifies the 168-bit DES (3DES) encryption algorithm.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Confirm Passphrase
|
Confirm the passphrase to decrypt the key pair.
|
Destination Files and Encryption Parameters (Remote System)
The Destination Files and Encryption Parameters page of the wizards allows you to enter the destination files names of the public and private key on the client station, and encryption parameters.
If you select Remote System, the following fields appear.
Field
|
Description
|
Protocol
|
The protocol to used for the transfer.
|
IP Address
|
The IP address of the remote system.
|
User Name
|
The user name.
|
Password
|
Password to be used for the remote system.
|
Public Key File
|
The absolute path of the public key file.
|
Private Key File
|
The absolute path of the private key file.
|
Encryption
|
Encryption used by the key pair.
The following encryption algorithms are supported:
•des—Specifies the 56-bit DES-CBC encryption algorithm.
•3des—Specifies the 168-bit DES (3DES) encryption algorithm.
|
Passphrase
|
The passphrase that is used to protect the private key.
The passphrase can be any phrase including spaces and punctuation except for question mark (?). Passphrase protection associates a pass phrase to the key. The passphrase is used to encrypt the key when it is exported. When the key is imported, you must enter the same pass phrase to decrypt it.
|
Confirm Passphrase
|
Confirm the passphrase to used for decrypting the key pair.
|
Key Pair Wizard Summary
When you use a wizard to perform a configuration, the wizard's Summary screen displays the values that you have configured. You can examine those values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to save your changes and leave the wizard.
Key Pair Wizard Status
The Key Pair Wizard Status dialog box provides the status details of the Key Pair configuration tasks. The details displayed vary according to the task you selected. The dialog box displays the status next to each task.
The configuration performed on the module is displayed in the content area. If any task fails, you can review the task details and take necessary action.
