Table Of Contents
Certificate Management
The Role of Time
Maximum Number of Certificates
Configuring Digital Certificates: SCEP and Manual Methods
Tasks Summary
Managing Certificates with SCEP
Obtaining and Installing CA Certificates Automatically Using SCEP
Changing SCEP Parameters
Enrolling and Installing Identity Certificates Automatically Using SCEP
Enrolling and Installing Certificates Manually
Obtaining and Installing CA Certificates Manually
Creating an Enrollment Request for an Identity Certificate Manually
Requesting an Identity Certificate from a CA Manually
Installing the Identity Certificate on the VPN Concentrator Manually
Obtaining SSL Certificates
Enabling CRL Checking and Caching
Enabling Digital Certificates on the VPN Concentrator
Enabling Digital Certificates for Remote Access Connections
Enabling Digital Certificates for IPSec LAN-to-LAN Connections
Deleting Digital Certificates
Administration | Certificate Management
Screen Elements
Certificate Authorities Table
Identity Certificates Table
SSL Certificates Table
SSH Host Key Table
Enrollment Status Table
Enroll
Screen Elements
Enroll | Certificate Type
Screen Elements
Enroll | Certificate Type | PKCS10
Screen Elements
Enrollment or Renewal | Request Generated
Screen Elements
Enroll | Identity Certificate | SCEP
Screen Elements
Enroll | SSL Certificate | SCEP
Screen Elements
Install
Screen Elements
Install | Certificate Obtained via Enrollment
Screen Elements
Install | Certificate Type
Screen Elements
Install | CA Certificate | SCEP
Screen Elements
Install | Certificate Type | Cut and Paste Text
Screen Elements
Install | Certificate Type | Upload File from Workstation
Screen Elements
Configure SCEP
Screen Elements
View CRL Cache
Screen Elements
View
Certificate Fields
Configure CA Certificate
Configuring CRL Checking
Enabling CRL Caching
Configure CA Certificate | Certificate Acceptance Tab
Screen Elements
Configure CA Certificate | CRL Retrieval Tab
Screen Elements
Configure CA Certificate | CRL Protocol Tab
Screen Elements
Configure CA Certificate | CRL Caching Tab
Screen Elements
Delete
Screen Elements
Renewal
Screen Elements
Activate or Re-Submit | Status
Screen Elements
Generate SSL Certificate
Screen Elements
Export SSL Certificate
Screen Elements
Generate SSH Host Key
Screen Elements
View Enrollment Request
Enrollment Request Fields
Cancel Enrollment Request
Screen Elements
Delete Enrollment Request
Screen Elements
Certificate Management
Digital certificates are a form of digital identification used for authentication. A digital certificate contains information that identifies a device or user, such as the name, serial number, company, department, or IP address. Certificate Authorities (CAs) issue digital certificates in the context of a Public Key Infrastructure (PKI), which uses public-key/private-key encryption to ensure security. CAs are trusted authorities that "sign" certificates to verify their authenticity, thus guaranteeing the identity of the device or user.
A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called a root certificate; one issued by another CA certificate is called a subordinate certificate. CAs also issue identity certificates, which are the certificates for specific systems or hosts.
For authentication using digital certificates, there must be at least one identity certificate (and its root certificate) on a given VPN Concentrator; there may be more. The maximum number of CA and identity certificates allowed depends on the VPN Concentrator model. Model 3005 allows a maximum of 6 root or subordinate CA certificates (including supporting RA certificates) and 2 identity certificates. The other VPN Concentrator models allow a maximum of 20 root or subordinate CA certificates (including supporting RA certificates) and 20 identity certificates.
The VPN Concentrator supports X.509 digital certificates (International Telecommunications Union Recommendation X.509), including SSL (Secure Sockets Layer) certificates that are self-signed or issued in a PKI context.
The VPN Concentrator stores digital certificates and private keys in Flash memory. You do not need to click Save Needed to store them, and they are not visible under Administration | File Management. All stored private keys are encrypted.
After you install an identity certificate on the VPN Concentrator, it is available in the Digital Certificate list for configuring IPSec LAN-to-LAN connections and IPSec SAs. See Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN and Configuration | Policy Management | Traffic Management | Security Associations.
You can also configure the VPN Concentrator to store certificate revocation list (CRL) information in volatile memory (RAM). CRL caching can potentially speed up the process of verifying the revocation status of certificates. With CRL caching enabled, when the VPN Concentrator needs to check the revocation status of a certificate, it first checks whether the required CRL exists in the cache and has not expired. Then the VPN Concentrator checks the serial number of the certificate against the list of revoked serial numbers in the CRL. If a match exists, the authentication fails. For detailed information about CRL caching, see the section "Enabling CRL Checking and Caching".
The VPN Concentrator can have one SSL certificate installed per interface: private, public, and external. The interface SSL certificates, if non-existent, are automatically generated when the VPN 3000 Concentrator reboots after you upgrade the VPN 3000 Concentrator software. If you generate a self-signed SSL certificate, it replaces any installed PKI-context SSL certificate; and vice-versa.
For information on using SSL certificates, see the information on obtaining SSL certificates in this chapter. See also Chapter 1, "Using the VPN Concentrator Manager" of the VPN 3000 Series Concentrator Reference Volume I: Configuration, and also Chapter 15, "Tunneling and Security."
The Role of Time
Digital certificates are time-sensitive in the following ways:
•
Digital certificates indicate the time frame during which they are valid. Therefore, it is essential that the time on the VPN 3000 Concentrator is correct and synchronized with network time.
•You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.
Maximum Number of Certificates
For authentication with digital certificates, a VPN Concentrator must have at least one CA certificate and one identity certificate, but it can have more. The model 3005 can have six root or subordinate CA certificates and two identity certificates. The other VPN Concentrator models can have 20 root or subordinate CA certificates and 20 identity certificates.
Configuring Digital Certificates: SCEP and Manual Methods
To use digital certificates for authentication, you first enroll with a Certificate Authority (CA), and obtain and install a CA certificate on the VPN Concentrator. Then you enroll and install an identity certificate from the same CA.
You can enroll and install digital certificates on the VPN Concentrator in either of two ways:
•Using Cisco's Simple Certificate Enrollment Protocol (SCEP).
SCEP is a secure messaging protocol that requires minimal user intervention. SCEP is the quicker method, and it lets you to enroll and install certificates using only the VPN Concentrator Manager. To use SCEP, you must enroll with a CA that supports SCEP, and you must enroll via the Internet.
•Manually, exchanging information with the CA directly.
The manual method involves more steps. You can do some of the steps using the Manager. Other steps require that you exchange information with the CA directly. You deliver your enrollment request and receive the certificate from the CA via the Internet, email, or storage media such as a CD or a floppy disk.
Note If you install a CA certificate using the manual method, you must also use the manual method to request identity or SSL certificates from that CA. Conversely, to request identity and SSL certificates using SCEP, you must first use SCEP to obtain the CA certificate.
Tasks Summary
Whether you use SCEP or the manual method, you perform the following tasks to obtain and install certificates:
1. Obtain and install one or more CA certificate(s).
2. Create an enrollment request for one or more identity certificates.
3. Request an identity certificate from the same CA that issued the CA certificate(s).
4. Install the identity certificate on the VPN Concentrator.
5. Enable CRL checking and caching.
6. Enable certificates.
About the Documentation
The PDF version of this guide provides step-by-step examples of configuring digital certificates using SCEP and manually, and with both LAN-to-LAN and remote access connections, beginning with the next section, "Managing Certificates with SCEP."
The online Help and the PDF version both provide detailed information on the parameters for each of the Manager screens that you use to configure digital certificates.
Managing Certificates with SCEP
The following sections provide step-by-step instructions for using SCEP to enroll and install digital certificates.
Obtaining and Installing CA Certificates Automatically Using SCEP
To use SCEP to enroll for identity or SSL certificates, you must also use SCEP to obtain the associated CA certificate. The Manager does not let you enroll for a certificate from a CA unless that CA certificate was installed using SCEP. A certificate that is obtained via SCEP and therefore capable of issuing other SCEP certificates, is called SCEP-enabled.
Tip To obtain CA certificates using SCEP, you need to know the URL of your CA. Find out your CA's SCEP URL before beginning the following steps.
Step 1 Using the VPN Concentrator Manager, display the Administration | Certificate Management screen. (See Figure 11-1.)
Figure 11-1 Administration | Certificate Management Screen
Step 2 Click Click here to install a CA certificate.
Note The Click here to install a CA certificate option is available from this window only when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. Then click Install CA Certificate.
The Manager displays the Administration | Certificate Management | Install | CA Certificate screen. (See Figure 11-2.)
Figure 11-2 Administration | Certificate Management | Install | CA Certificate
Step 3 Click SCEP (Simple Certificate Enrollment Protocol). The Manager displays the Administration | Certificate Management | Install | CA Certificate | SCEP screen. (See Figure 11-3.)
Figure 11-3 The Administration | Certificate Management | Install | CA Certificate | SCEP Screen
Step 4 Fill in the fields and click Retrieve.
•URL: Enter the URL of the CA's SCEP interface.
•CA Descriptor: Some CAs use descriptors to further identify the certificate. If your CA gave you a descriptor, enter it here. Otherwise enter a descriptor of your own. You must enter something in this field.
•Retrieve / Cancel:
–To retrieve a CA certificate from the CA and install it on the VPN Concentrator, click Retrieve.
–To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 11-1.)
The Manager installs the CA certificate on the VPN Concentrator and displays the Administration | Certificate Management screen. Your new CA certificate appears in the Certificate Authorities table.
Changing SCEP Parameters
To change SCEP parameters for a certificate, follow these steps:
Step 1 In the Administration | Certificate Management screen, click the SCEP link associated with the certificate (under Actions in the Certificate Authorities table). The Administration | Certificate Management | Configure CA Certificate | SCEP screen displays.
Step 2 Edit one or more parameters.
•Enrollment URL: Enter the URL where the VPN Concentrator should send SCEP enrollment requests made to this CA. The default value of this field is the URL used to download this CA certificate.
•Polling Interval: If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request enters polling mode. In polling mode, the VPN Concentrator re-sends the certificate request to the CA for a specified period until the CA responds or the process times out.
Enter the number of minutes the VPN Concentrator should wait between re-sends. The minimum number of minutes is 1; the maximum number of minutes is 60. The default value is 1
•Polling Limit: Enter the number of times the VPN Concentrator should re-send an enrollment request if the CA does not issue the certificate immediately. The minimum number of re-sends is 0; the maximum number is 100. If you did not want any polling limit, (in other words, you want infinite re-sends), enter none.
Step 3 Click Apply.
Note If you have trouble enrolling or installing digital certificates via SCEP, enable both the CLIENT and CERT event classes to assist in troubleshooting.
Enrolling and Installing Identity Certificates Automatically Using SCEP
Follow these steps for each identity certificate you want to obtain:
Step 1 Display the Administration | Certificate Management screen. (See Figure 11-1.)
Step 2 Click Click here to enroll with a Certificate Authority. The Manager displays the Administration | Certificate Management | Enroll screen. (See Figure 11-4.)
Figure 11-4 Administration | Certificate Management | Enroll Screen
Step 3 Click Identity Certificate. The Manager displays the Administration | Certificate Management | Enroll | Identity Certificate screen. (See Figure 11-5.)
Figure 11-5 Administration | Certificate Management | Enroll | Identity Certificate Screen
Notice that a link appears corresponding to each SCEP-enabled CA certificate on the VPN Concentrator. The title of the link depends on the name of the CA certificate: Enroll via SCEP at Certificate Name. For example, if you have a CA certificate on your VPN Concentrator named "TestCA6-8," the following link appears: Enroll via SCEP at TestCA6-8.
If you do not see any Enroll via SCEP options, there are no SCEP-enabled CA certificates on the VPN Concentrator. Follow the steps in the "Obtaining and Installing CA Certificates Automatically Using SCEP" section to obtain a CA certificate via SCEP before you proceed.
Step 4 Click Enroll via SCEP at Certificate Name. The Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen displays. (See Figure 11-6.)
Figure 11-6 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Screen
Step 5 Fill in the fields and click Enroll. (For information on the fields on this screen, see Enroll | Certificate Type | PKCS10.) The VPN Concentrator sends the certificate request to the CA.
If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request could enter polling mode. In polling mode, the VPN Concentrator re-sends the certificate request to the CA a specified number of times at regular intervals until the CA responds or the process times out. (For information on configuring the polling limit and interval, see the Administration | Certificate Management | Configure CA Certificate | SCEP screen.) The certificate request appears in the Enrollment Status table on the Administration | Certificate Management screen until the CA responds. Once the CA responds and issues the certificate, the VPN Concentrator installs it automatically.
If the CA responds immediately, the Manager installs the identity certificate on the VPN Concentrator and displays the Administration | Certificate Management | Enrollment | Request Generated screen.
(See Figure 11-7.)
Figure 11-7 Administration | Certificate Management | Enrollment | Request Generated Screen
Click Go to Certificate Management. The Manager displays the Administration | Certificate Management screen. Your new identity certificate appears in the Identity Certificates table.
Enrolling and Installing Certificates Manually
The following sections provide step-by-step instructions for enrolling and installing digital certificates manually.
Obtaining and Installing CA Certificates Manually
Certificate authorities are trusted entities that "sign" certificates to verify their authenticity. A CA certificate is one used to sign other certificates. You obtain CA certificates according to the procedures of individual CAs.
Step 1 You can obtain a CA certificate via email, storage media such as a CD or a floppy disk, or over the Internet. Retrieve a CA certificate according to the policies and procedures of your CA, and download it to your management work station.
Step 2 To install the CA certificate, begin at the VPN Concentrator Manager Administration | Certificate Management screen. When you begin, there are no entries in the Certificate Authorities, Identity Certificates, SSL Certificates, or Enrollment Status fields.
Figure 11-8 Administration | Certificate Management Screen
Step 3 Click Click here to install a CA certificate. The Administration | Certificate Management | Install screen displays.
Note The Click here to install a CA certificate option is available from this screen only when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. Then click Install CA certificate.
Figure 11-9 Administration | Certificate Management | Install Screen
Step 4 Click Install CA Certificate. The Administration | Certificate Management | Install | CA Certificate screen displays.
Figure 11-10 Administration | Certificate Management | Install | CA Certificate Screen
Step 5 Click Upload File from Workstation or Cut and Paste Text, depending on how you have retrieved the CA certificate. The Manager displays a screen appropriate to your choice.
Step 6 Include certificate information according to your chosen method.
Step 7 Click Install. The Manager installs the CA certificate on the VPN Concentrator. You return to the Administration | Certificate Management screen, which now displays the newly installed CA certificate.
Figure 11-11 Administration | Certificate Management Screen with CA Certificates Installed
Creating an Enrollment Request for an Identity Certificate Manually
An enrollment request for an identity certificate consists of a base 64 encoded PKCS#10 file that the VPN Concentrator generates based on information you provide in the steps that follow.
Note You must get the identity certificate for a LAN-to-LAN connection from the same CA that issued its CA certificate.
Step 1 In the Administration | Certificate Management screen (Figure 11-1), click Click here to enroll with a Certificate Authority. The Administration | Certificate Management | Enroll screen displays.
Figure 11-12 Administration | Certificate Management | Enroll Screen
Step 2 Click Identity certificate. The Administration | Certificate Management | Enroll |
Identity Certificate screen displays.
Figure 11-13 Administration | Certificate Management | Enroll | Identity Certificate Screen
Step 3 Click Enroll via PKCS10 Request (Manual). The Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen displays.
Figure 11-14 Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen
Step 4 Enter values in each of the fields on this screen. Enroll | Certificate Type | PKCS10 defines these fields.
Step 5 When you have finished, click Enroll.
The Administration | Certificate Management | Enroll | Request Generated screen displays (Figure 11-15).
Figure 11-15 Administration | Certificate Management | Enroll | Request Generated Screen
The Manager displays this screen when the system has successfully generated a certificate request.
Note You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.
As the screen text indicates, within a few seconds, a browser window opens with the certificate request.
Figure 11-16 Example of a Certificate Request
You have generated a base 64 encoded PKCS#10 file (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in Flash memory with the filename shown in the browser (pkcsNNNN.txt).
In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN Concentrator in encrypted form.
Step 6 Save the enrollment request in one of the following ways:
•Save the request to a file (to transmit the file to the CA via email or storage media such as a CD or a floppy disk).
•Select and copy the request to the clipboard, and then paste the request into an email to the CA.
•Copy and paste the request into the CA's management interface via the Internet.
Some CAs let you paste the request in a web interface, some ask you to send a file; use the method your CA requires.
Step 7 Close this browser window when you have finished.
Requesting an Identity Certificate from a CA Manually
Next you submit the identity request to a CA. This must be the same CA that issued the CA certificate for this LAN-to-LAN connection. Submit the request and retrieve an identity certificate according to the procedures of your CA.
Installing the Identity Certificate on the VPN Concentrator Manually
The following steps provide instructions on installing an Identity certificate on the VPN Concentrator.
Step 1 From the Administration | Certificate Management screen, click Click here to install a certificate to navigate to the Administration | Certificate Management | Install screen.
Figure 11-17 Administration | Certificate Management | Install Screen
Step 2 Click Install certificate obtained via enrollment. The Administration | Certificate Management | Install certificate obtained via enrollment screen displays.
Figure 11-18 Administration | Certificate Management | Install certificate obtained via enrollment Screen
Step 3 In the Actions column of the Enrollment Status table, click Install. The Administration | Certificate Management | Install Identity Certificate screen displays.
Figure 11-19 Administration | Certificate Management | Install Identity Certificate Screen
Step 4 Choose either installation method: Cut & Paste Text or Upload File from Workstation.
Step 5 The Manager displays a screen appropriate to your choice. Include the certificate information according to your chosen method. Click Install. The Manager installs the identity certificate on the VPN Concentrator and displays the Administration | Certificate Management screen. Your new identity Certificate appears in the Identity Certificates table.
Step 6 Confirm that the Issuer fields for Certificate Authorities and Identity Certificates match for this LAN-to-LAN connection. You must get the Identity certificate and the CA certificate from the same CA.
Obtaining SSL Certificates
If you use a secure connection between your browser and the VPN Concentrator, the VPN Concentrator requires an SSL certificate. You also need an SSL certificate on the interface that you use to manage the VPN Concentrator and for WebVPN, and for each interface that terminates WebVPN tunnels.
The interface SSL certificates, if non-existent, are automatically generated when the VPN 3000 reboots after you upgrade the VPN 3000 Concentrator software. Because a self-signed certificate is self-generated, this certificate is not verifiable. No CA has guaranteed its identity. But this certificate lets you make initial contact with the VPN Concentrator using the browser. If you want to replace it with another self-signed SSL certificate, follow these steps:
Step 1 Display the Administration | Certificate Management screen. (See Figure 11-1.)
Step 2 Click Generate above the SSL Certificate table. The new certificate displays in the SSL Certificate table, replacing the existing one.
If you want to obtain a verifiable SSL certificate (that is, one issued by a CA), follow the same procedure you use to obtain identity certificates. (See the "Enrolling and Installing Identity Certificates Automatically Using SCEP" section or the "Creating an Enrollment Request for an Identity Certificate Manually" section.) But this time, on the Administration | Certificate Management | Enroll screen, click SSL certificate (instead of Identity certificate).
Some web servers export their SSL certificates with the private key attached. If you have a PEM-encoded certificate with a corresponding private key that you want to install, follow the same procedure you used to obtain identity certificates. (See the "Enrolling and Installing Identity Certificates Automatically Using SCEP" section.) But this time, on the Administration | Certificate Management | Installation screen, click Install SSL certificate with private key (instead of Install certificate obtained via enrollment).
Enabling CRL Checking and Caching
When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a particular certificate before this time period expires. Certificates can be revoked for many reasons, such as security concerns or a change of name or association. CAs periodically issue a signed list of certificates that have been revoked and are no longer valid. This list is called a certificate revocation list (CRL). To ensure that received peer certificates are valid, configure the VPN Concentrator to check them against the CRL. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the latest CRL to ensure that the certificate being verified has not been revoked.
The VPN Concentrator supports LDAP and HTTP CRLs.
Since the system has to obtain and examine the CRL from a network distribution point, enabling CRL checking might slow system response times. Also, if the network is slow or congested, CRL checking might fail.
To avoid having to retrieve the same CRL from a CA again and again, the VPN Concentrator can store retrieved CRLs locally. Storing CRLs locally is called CRL caching. All VPN 3000 Concentrator platforms have a caching limit of 64 CRLs. CRL cache sizes for the VPN Concentrator are vary across platforms.
VPN Concentrator
|
CRL Cache Size
|
VPN 3005
|
128KB
|
VPN 3015, 3020, 3030
|
256 KB
|
VPN 3060, 3080
|
1 MB
|
Follow these steps to enable CRL checking and caching on the VPN Concentrator:
Step 1 On the Administration | Certificate Management screen, in the Certificate Authorities table, click Configure next to the CA certificate for which you want to enable CRL checking. The Manager displays the Administration | Certificate Management | Configure CA Certificate screen. For information on these tabs and fields, see the "Configure CA Certificate" section or online Help.
Step 2 Click the CRL Retrieval tab.
Figure 11-20 Administration | Certificate Management | Configure CA Certificate Screen,
CRL Retrieval Tab
Step 3 CRL checking is disabled by default. Choose the method to use to retrieve the CRL.
Step 4 Click the CRL Protocol tab.
Figure 11-21 Administration | Certificate Management | Configure CA Certificate,
CRL Protocol Tab
Step 5 Choose the distribution point protocol to use to retrieve the CRL: HTTP and/or LDAP. (If both protocols are enabled and a single certificate contains both protocols, the VPN Concentrator uses the first protocol listed in the certificate.)
a. If you enabled the HTTP distribution point protocol, assign these two HTTP rules to the filter for the interface that connects to the server: Outgoing HTTP In (forward/in); Outgoing HTTP Out (forward/out).
b. If you enabled the LDAP distribution point protocol:
–Assign these two LDAP rules to the filter for the interface that connects to the server: CRL over LDAP (out); CRL over LDAP (in).
–[Embedded distribution points only] Enter the hostname or IP address of the server in the Server field.
–[Embedded distribution points only] Enter the server's port number in the Port field.
–If your server requires these fields, enter the Login DN and Password. Verify the password.
c. Enter the static URL(s) to use to retrieve the CRL from the server.
Step 6 To enable CRL caching, click the CRL Caching tab.
Figure 11-22 Administration | Certificate Management | Configure CA Certificate,
CRL Caching Tab
Step 7 Check the Enabled check box.
Step 8 In the Refresh Time field, specify a time period for updating the CRL.
Step 9 Check Enforce Next Update if you want to require valid CRLs to have a Next Update value that has not yet lapsed in time.
Step 10 Click Apply. The Manager displays the Administration | Certificate Management screen.
Enabling Digital Certificates on the VPN Concentrator
Note Before you enable digital certificates on the VPN Concentrator, you must obtain at least one root and one identity certificate. If you do not have a root and an identity certificate installed on your VPN Concentrator, follow the steps in the previous sections before beginning this section.
For the VPN Concentrator to use the digital certificates you obtained, you must enable authentication using digital certificates. Table 11-1 outlines this procedure.
Table 11-1 Enabling Digital Certificates on the VPN Concentrator
For Remote Access Sessions
|
For IPSec LAN-to-LAN Connections
|
1. Edit and activate an IKE proposal.
2. Configure an SA to use that IKE proposal and a particular identity certificate.
3. Configure the group to use that SA.
|
1. Edit and activate an IKE proposal.
2. Configure the LAN-to-LAN connection to use that IKE proposal.
3. Configure the LAN-to-LAN connection to use a particular identity certificate.
|
Enabling Digital Certificates for Remote Access Connections
To enable digital certificates for remote access connections, you must first edit and activate the appropriate IKE proposal:
Step 1 Display the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen.
(See Figure 11-23.)
Step 2 Select an IKE proposal (or create a new one) for which you want to enable digital certificates.
Figure 11-23 Configuration | System | Tunneling Protocols | IPSec | IKE Proposals Screen
Step 3 Click Modify (or Add). The Manager displays the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Modify (or Add) screen. (See Figure 11-24.)
Figure 11-24 Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Modify Screen
Step 4 Click the Authentication Mode drop-down menu. Choose any of the Digital Certificates options.
Step 5 Click Apply (or Add). The Manager returns to the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. (See Figure 11-23.)
Step 6 Verify that the IKE proposal you just edited is in the Active Proposals column. If it is not, select the proposal and click << Activate.
Next, follow these steps to configure the SA:
Step 1 Display the Configuration | Policy Management | Traffic Management | Security Associations screen. (See Figure 11-25.)
Figure 11-25 Configuration | Policy Management | Traffic Management | Security Associations Screen
Step 2 Do one of the following:
•To edit an existing SA, select an SA on the IPSec SA list and click Modify.
•To create a new SA, click Add.
The Manager displays the Configuration | Policy Management | Traffic Management | Security Associations | Modify (or Add) screen. (See Figure 11-26.)
Figure 11-26 Configuration | Policy Management | Traffic Management | Security Associations | Modify (or Add) Screen
Step 3 Under IKE Parameters, choose the digital certificate you want to use from the Digital Certificate drop-down menu.
Step 4 Select a Certificate Transmission option. If you want the VPN Concentrator to send the peer the identity certificate and all issuing certificates (including the root certificate and any subordinate CA certificates), click Entire certificate chain. If you want to send the peer only the identity certificate, click Identity certificate only.
Step 5 Choose the name of the IKE proposal you just configured from the IKE Proposal drop-down menu.
Step 6 Click Apply (or Add). The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen.
Finally, follow these steps to configure the group to use the SA:
Step 1 Display the Configuration | User Management | Groups screen. (See Figure 11-27.)
Figure 11-27 Configuration | User Management | Groups Screen
Step 2 Do one of the following:
•To edit an existing group, select a group on the Current Groups list and click Modify Group.
•To create a new group, click Add Group.
The Manager displays the Configuration | User Management | Groups | Modify (or Add) screen.
Step 3 Click the IPSec tab. (See Figure 11-28.)
Figure 11-28 Configuration | User Management | Groups | Modify (or Add) Screen, IPSec Tab
Step 4 Choose the name of the SA you just configured from the IPSec SA drop-down menu.
Step 5 Click Apply (or Add). The Manager displays the Configuration | User Management | Groups screen.
Step 6 Click the Save Needed icon to save your changes.
Enabling Digital Certificates for IPSec LAN-to-LAN Connections
To enable digital certificates for IPSec LAN-to-LAN connections, first edit and activate the appropriate IKE proposal. (Follow steps 1-6 in the "Enabling Digital Certificates for Remote Access Connections" section.) Then continue, following these steps:
Step 1 Display the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen. (See Figure 11-29.)
Figure 11-29 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN Screen
Step 2 Select the LAN-to-LAN connection (or create a new one) for which you want to enable digital certificates.
Step 3 Click Modify (or Add). The Manager displays the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify (or Add) screen. (See Figure 11-30.)
Figure 11-30 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify Screen
Step 4 Click the Digital Certificate drop-down menu and choose a digital certificate to use for this LAN-to-LAN connection.
Step 5 Select a Certificate Transmission option. If you want the VPN Concentrator to send the peer the identity certificate and all issuing certificates (including the root certificate and any subordinate CA certificates), click Entire certificate chain. If you want to send the peer only the identity certificate, click Identity certificate only.
Step 6 Click the IKE Proposal drop-down menu and choose an activate IKE proposal that is configured for digital certificate authentication.
Step 7 Click Modify (or Add). The Manager returns to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen. (See Figure 11-29.)
Step 8 Click the Save Needed icon to save your changes.
Deleting Digital Certificates
Delete digital certificates in the following order:
1. Identity or SSL certificates
2. Subordinate certificates
3. Root certificates
Note You cannot delete a certificate if it is in use by an SA, if it is the issuer of another installed certificate, or if it is referenced in an active certificate request.
Follow these steps to delete certificates:
Step 1 Display the Administration | Certificate Management screen. (See Figure 11-1.)
Step 2 Find the certificate you want to delete and click Delete. The Administration | Certificate Management | Delete screen appears.
Figure 11-31 Administration | Certificate Management | Delete Screen
Step 3 Click Yes. The Manager returns to the Administration | Certificate Management window.
Administration | Certificate Management
This section of the Manager shows outstanding enrollment requests and all the certificates installed on the VPN Concentrator, and it lets you manage them.
The links at the top of this screen guide you step-by-step through the process of enrolling and installing certificates.
•To install a CA certificate (via SCEP or manually), click on Click Here to Install a CA Certificate.
Note The Click Here to Install a CA Certificate option is only available from this window when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install. Then click Install CA Certificate.
•To create an SSL or identity certificate enrollment request, click on Click Here to Enroll with a Certificate Authority.
•To install the certificate obtained via enrollment, click on Click Here to Install a Certificate.
The VPN Concentrator notifies you (by issuing a severity 3 CERT class event) if any of the installed certificates are within one month of expiration.
The Manager displays this screen each time you install a digital certificate.
Figure 11-32 Administration | Certificate Management Screen
Screen Elements
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
Certificate Authorities Table
This table shows root and subordinate CA certificates installed on the VPN Concentrator.
•View All CRL Caches — Click this link to see details of all CRLs cached on the VPN Concentrator.
•Clear All CRL Caches — Click this link to delete all the CRLs cached on the VPN Concentrator and force a cache refresh.
When you delete a CRL from the cache, the next authentication attempt updates it. Use this option to force a cache refresh.
•Current — The actual number of CA certificates installed on the VPN Concentrator.
•Maximum — The maximum possible number of CA certificates allowed on this VPN Concentrator. This limit varies by VPN Concentrator model.
•Subject/Issuer — The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See Administration | Certificate Management | View.
•Expiration — The expiration date of the certificate. The date format is MM/DD/YYYY.
•SCEP Issuer — In order for a certificate to be available for SCEP enrollment, it must be installed via SCEP. This field indicates if the certificate is SCEP-enabled.
–Yes = This certificate can issue identity and SSL certificates via SCEP.
–No = This certificate cannot issue certificates via SCEP.
Note If you want to use a certificate for SCEP enrollment, but that certificate is not SCEP-enabled, reinstall it using SCEP.
Actions
This column allows you to manage particular certificates. The actions available vary with type and status of the certificate.
•View — View details of this certificate.
•Configure — Enable CRL (Certificate Revocation List) checking for this CA certificate, configure CRL caching, or enable acceptance of subordinate CA certificates.
•Delete — Delete this certificate from the VPN Concentrator.
•SCEP — View or configure SCEP parameters for this certificate.
•Show RAs — SCEP-enabled CA certificates sometimes have supporting (RA) certificates. View details of these certificates. (Only available for CA certificates.)
•Hide RAs — Hide the details of the RA certificates.
Identity Certificates Table
This table shows installed identity certificates.
•Current — The actual number of identity certificates installed on the VPN Concentrator.
•Maximum — The maximum possible number of identity certificates allowed on this VPN Concentrator. This limit varies by VPN Concentrator model.
•Subject/Issuer, Expiration, Actions — Refer to the explanation of these fields for CA certificates, above.
SSL Certificates Table
This table shows the SSL server certificate installed on the VPN Concentrator. The system can have one SSL server certificate for each interface, private, public, and external. It can be either a self-signed certificate or one issued in a PKI context. If load balancing is enabled, an SSL load balancing certificate is present as well.
To generate a self-signed SSL server certificate, click Generate. The new certificate replaces any existing SSL certificate.
These fields appear in the SSL Certificates table:
•Interface — The interface on which this SSL certificate is installed.
•Subject/Issuer, Expiration — Refer to the explanation of these fields for CA certificates, above.
Actions
This column allows you to manage particular certificates. The actions available vary with type and status of the certificate.
•View — View details of this certificate.
•Renew — Generate a new enrollment request based on the content of this certificate.
•Delete — Delete this certificate from the VPN Concentrator.
•Export — Copy this certificate to another interface on this VPN Concentrator or to another VPN Concentrator. This option is useful if you are setting up load balancing or VRRP.
•Generate — Generate a new SSL certificate, with a new key.
•Enroll — Enroll this certificate with a CA.
•Import — Copy a certificate to this interface from another interface on this VPN Concentrator or from another VPN Concentrator. This option is useful if you are setting up load balancing or VRRP.
SSH Host Key Table
These fields appear in the SSH Host Key table:
•Key Size — The size (in bits) of the SSH host key.
•Key Type — The type of encryption of the SSH host key. (Only RSA is currently supported.)
•Date Generated — The generation date of the certificate.
•Actions:Generate — Generate a new SSH host key.
Enrollment Status Table
This table tracks the status of active enrollment requests.
The number of enrollment requests you can make at any given time is limited to the VPN Concentrator's identity certificate capacity. Most VPN Concentrator models allow a maximum of 20 identity certificates. Thus, for example, if you already have five identity certificates installed, you will only be able to create up to 15 enrollment requests. The VPN 3005 Concentrator is an exception, supporting only two identity certificates. On the VPN 3005 Concentrator only, you can request a third certificate, even if there are already two certificates installed, but the VPN Concentrator does not install this certificate immediately. First you must delete one of the existing certificates. Then, activate the new certificate to replace the one you just deleted.
The VPN Concentrator automatically deletes entries that have the status "Timed-out," "Failed," "Cancelled," or "Error" and are older than one week.
[Remove All]
Click a Remove All option to delete all enrollment requests of a particular status.
•Errored — Delete all enrollment requests with the status "Error."
•Timed-out — Delete all enrollment requests with the status "Timed-out."
•Rejected — Delete all enrollment requests with the status "Rejected."
•Cancelled — Delete all enrollment requests with the status "Cancelled."
•In Progress — Delete all enrollment requests with the status "In Progress."
Other Table Elements
•Current — The number of enrollment requests currently outstanding.
•Available — The number of enrollment requests still available.
•Subject/Issuer — Refer to the explanation of this field for CA certificates, above.
•Date — The original date of enrollment.
•Use — The type of certificate: identity or SSL.
•Reason — The type of enrollment: initial, re-enrollment, or re-key.
•Method — The method of enrollment: SCEP or manual.
•Status — Disposition of the enrollment request:
–In Progress = The request has been created, but the requested certificate has not yet been installed. This value is used only for PKCS10 (manual) enrollment requests.
–Polling = The CA did not immediately fulfill the enrollment request; the VPN Concentrator has entered polling mode. This value is used only for enrollment request created using SCEP.
–Timed-out = The SCEP polling cycle has ended after reaching the configured maximum number of retries. This value is used only for enrollment request created using SCEP.
–Rejected = The CA refused to issue the certificate. This value is used only for enrollment request created using SCEP.
–Cancelled = The certificate request was cancelled while the VPN Concentrator was in polling mode.
–Complete = The CA has fulfilled the renewal request. To bring this new certificate into service, click Activate.
–Error = An error occurred during the enrollment process. Enrollment was stopped.
–Submitting = The certificate request is being sent to the CA.
Actions
This column allows you to manage enrollments requests. The actions available vary with the type and status of the enrollment request.
•View — View details of this enrollment request.
•Install — Install the enrollment request. This action is available only for PKCS10 (manual) enrollment requests.
•Cancel — Cancel a request that is pending. This action is available only for SCEP enrollment requests with "Polling" status.
•Re-submit — Re-initiate SCEP communications with the CA or RA using the previously entered request information. This action is available only for SCEP enrollment requests.
•Activate — Bring this certificate into service.
•Delete — Delete an enrollment request from the VPN Concentrator.
Enroll
Choose whether you are creating an enrollment request for an identity certificate or an SSL certificate.
Figure 11-33 Administration | Certificate Management | Enrollment Screen
Screen Elements
•Identity Certificate — Click to create a certificate request for an identity certificate. The Manager displays the Administration | Certificate Management | Enroll | Identity Certificate screen.
•SSL Certificate — Click to create a certificate request for an SSL certificate. The Manager displays the Administration | Certificate Management | Enroll | SSL Certificate screen.
Enroll | Certificate Type
Choose the method for enrolling the (identity or SSL) certificate.
Figure 11-34 Administration | Certificate Management | Enroll | Identity Certificate Screen
Screen Elements
•Enroll via PKCS10 Request (Manual) — Click to enroll the certificate manually.
•Enroll via SCEP at [Name of SCEP CA] — Click to enroll the certificate automatically using SCEP.
You can enroll certificates using SCEP only if you installed the CA certificate using SCEP. One Enroll via SCEP link appears on this screen for each CA certificate on the VPN Concentrator that was installed using SCEP. To see which CA certificates on your VPN Concentrator were installed using SCEP, see the Certificate Authorities table on the Administration | Certificate Management screen. "Yes" in the SCEP Issuer column indicates that the CA certificate was installed using SCEP; "No" indicates it was installed manually. If no CA certificate on the VPN Concentrator was installed using SCEP, then no Enroll via SCEP link appears on this screen. You do not have the option of using SCEP to enroll the certificate.
•Install a new SA Using SCEP before Enrolling — Click if you want to install a certificate using SCEP, but no Enroll via SCEP link appears here. Install a CA certificate using SCEP, then return to this screen to install the certificate. A SCEP link now appears.
•Go back and choose a different type of certificate — Click to return to the Administration | Certificate Management | Enroll screen. (See Figure 11-33.)
Enroll | Certificate Type | PKCS10
To generate an enrollment request for an SSL or identity certificate, you need to provide information about the VPN Concentrator.
Figure 11-35 Administration | Certificate Management | Enroll | Identity Certificate via PKCS10 Screen
Screen Elements
•Common Name (CN) — The primary identity of the entity associated with the certificate, for example, Gateway A. Spaces are allowed. You must enter a name in this field.
•Organizational Unit (OU) — The name of the department or other organizational unit to which this VPN Concentrator belongs, for example: VPNC. Spaces are allowed.
Caution The value you enter in this field must match on both ends of the connection.
•Organization (O) — The name of the company or organization to which this VPN Concentrator belongs, for example: Cisco Systems. Spaces are allowed.
•Locality (L) — The city or town where this VPN Concentrator is located, for example: Westminster. Spaces are allowed.
•State/Province (SP) — The state or province where this VPN Concentrator is located, for example: Massachusetts. Spell the name out completely; do not abbreviate. Spaces are allowed.
•Country (C) — The country where this VPN Concentrator is located, for example: US. Use two characters, no spaces, and no periods. This two-character code must conform to ISO 3166 country codes.
•Subject Alternative Name (Fully Qualified Domain Name) (FQDN) — The fully qualified domain name that identifies this VPN Concentrator in this PKI, for example: Cisco.com. This field is optional. The alternative name is an additional data field in the certificate that provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections.
•Subject Alternative Name (E-mail Address) (E-mail) — The e-mail address of the VPN Concentrator administrator, for example: gatewaya@cisco.com.
•Challenge Password — Use this field according to the policy of your CA:
–Your CA might have given you a password. If so, enter it here for authentication.
–Your CA might allow you to provide your own password to identify yourself to the CA in the future. If so, create your password here.
–Your CA might not require a password. If not, leave this field blank.
Note This field (and the Verify Challenge Password field) display if you are requesting a certificate using SCEP. This field does not apply to manual certificate requests.
•Verify Challenge Password — Re-enter the password.
•Key Size — The algorithm for generating the public-key/private-key pair, and the key size. If you are requesting an SSL certificate, or if you are requesting an identity certificate using SCEP, only the RSA options are available.
–RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm. This key size provides sufficient security and is the default selection. It is the most common, and requires the least processing.
–RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size provides normal security. It requires approximately 2 to 4 times more processing than the 512-bit key.
–RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key size provides high security, and it requires approximately 4 to 8 times more processing than the 512-bit key.
–RSA 2048 = Generate 2048-bit keys using the RSA algorithm. This key size provides very high security. It requires 8-16 times more processing than the 512-bit key.
–DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature Algorithm).
–DSA 768 bits = Generate 768-bit keys using the DSA algorithm.
–DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm.
•Enroll — Click to generate the certificate request. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen (See Figure 11-36.), and then opens a browser window showing the certificate request. (See Figure 11-37.)
•Cancel — Click to discard your entries and cancel the request. The Manager returns to the Administration | Certificate Management screen.
Enrollment or Renewal | Request Generated
The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in Flash memory with the filename shown in the screen (pkcsNNNN.txt).
In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN Concentrator in encrypted form.
Note You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.
Figure 11-36 Administration | Certificate Management | Enrollment | Request Generated Screen
To go to the Administration | File Management | Files screen, click the highlighted File Management page link. From there you can view, copy, or delete the file in Flash memory.
The system also automatically opens a new browser window and displays the certificate request. You can select and copy the request to the clipboard, or you can save it as a file on your PC or a network host. Some CAs let you paste the request in a web interface, some ask you to send a file; use the method your CA requires.
Figure 11-37 Browser Window Displaying Certificate Request
Close this browser window when you have finished.
If there is an error in generating your certificate request, a different version of this screen appears. (See Figure 11-38.) You can view the certificate request and re-submit it from the Administration | Certificate Management screen.
Figure 11-38 Administration | Certificate Management | Enrollment | Request Generated Screen—Error
Screen Elements
Go to Certificate Management — Click if you want to view the certificate request. The Manager displays the Administration | Certificate Management screen. (See Figure 11-1.)
Go to Certificate Enrollment — Click if you want to enroll another certificate. The Manager displays the Administration | Certificate Management | Enroll screen.
Go to Certificate Installation — Click if you want to install the certificate you have just enrolled. The Manager displays the Administration | Certificate Management | Install screen.
Enroll | Identity Certificate | SCEP
To generate an enrollment request for an identity certificate, you need to provide information about the VPN Concentrator.
Figure 11-39 Administration | Certificate Management | Enroll | Identity Certificate via SCEP Screen
Screen Elements
•Fields — For an explanation of each of the fields on this screen, see the descriptions under Enroll | Certificate Type | PKCS10.
•Enroll — Click to generate the certificate request and install the identity certificate on the VPN Concentrator. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. (See Figure 11-36.)
•Cancel — Click to discard your entries and cancel the request. The Manager returns to the Administration | Certificate Management screen. (See Figure 11-1.)
Enroll | SSL Certificate | SCEP
To generate an enrollment request for an SSL certificate, you need to provide information about the VPN Concentrator.
Figure 11-40 Administration | Certificate Management | Enroll | SSL Certificate | SCEP Screen
Screen Elements
•Fields — For an explanation of each of the fields on this screen, see the descriptions under Enroll | Certificate Type | PKCS10.
•Enroll — Click to generate the certificate request and install the SSL certificate on the VPN Concentrator. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. (See Figure 11-36.)
If there is already an active request for an SSL certificate on the VPN Concentrator, the software display an error message.
–Retry the operation = Click to return to the Administration | Certificate Management | Enroll | SSL Certificate | SCEP screen.
–Return to main menu = Click to return to the Main screen.
•Cancel — Click to discard your entries and cancel the request. The Manager returns to the Administration | Certificate Management screen. (See Figure 11-1.)
Install
Choose the type of certificate you want to install.
Figure 11-41 Administration | Certificate Management | Install Screen
Screen Elements
•Install CA Certificate — Click if you want to install a CA certificate. The Manager displays the Administration | Certificate Management | Install | CA Certificate screen.
•Install SSL Certificate with Private Key — Some web servers export their SSL certificates with the private key attached. If you have a PEM-encoded certificate with a corresponding private key that you want to install, click Install SSL Certificate with Private Key. The Manager displays the Administration | Certificate Management | Install | SSL Certificate with Private Key screen.
•Install Certificate Obtained via Enrollment — Click if you want to install a certificate manually that you have obtained by enrolling a certificate request with a CA. The Manager displays the Administration | Certificate Management | Install | Certificate Obtained via Enrollment screen.
Install | Certificate Obtained via Enrollment
Once you have enrolled a certificate, you can install it. This screen allows you to install an enrolled certificate.
Figure 11-42 Administration | Certificate Management | Install | Certificate Obtained via Enrollment Screen
Screen Elements
•Enrollment Status table — For a description of the fields in this table, see the description of the "Enrollment Status Table" under Administration | Certificate Management.
•Go back and choose a different type of certificate — Click if you do not want to install a certificate that you have obtained via filing an enrollment request with your CA. The Manager returns to the Administration | Certificate Management | Install screen.
Install | Certificate Type
Choose the method you want to use to install the certificate.
Figure 11-43 Administration | Certificate Management | Install | CA Certificate
Screen Elements
•SCEP (Simple Certificate Enrollment Protocol) — Click if you want to install the CA certificate automatically using SCEP. The Manager displays the Administration | Certificate Management | Install | CA Certificate | SCEP screen. (See Figure 11-44.)
Note This option is available only for CA certificates.
•Cut & Paste Text — Click if you want to cut and paste the certificate using a browser window. The Manager displays the Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text screen. (See Figure 11-45.)
•Upload File from Workstation — Click if your certificate is stored in a file. The Manager displays the Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation screen. (See Figure 11-48.)
•Go back and choose a different type of certificate — If you do not want to install the specified type of certificate, click here to display the Administration | Certificate Management | Install screen. (See Figure 11-41.)
Install | CA Certificate | SCEP
In this screen, provide information about the certificate authority in order to retrieve and install a CA certificate automatically using SCEP.
Figure 11-44 Administration | Certificate Management | Install | CA Certificate | SCEP Screen
Screen Elements
•URL — Enter the URL of the SCEP interface of the CA.
•CA Descriptor — Some CAs use descriptors to further identify the certificate. If your CA gave you a descriptor, enter it here. Otherwise enter a descriptor of your own. You must enter something in this field.
•Retrieve — Click to retrieve a CA certificate from the CA and install it on the VPN Concentrator.
•Cancel — Click to discard your entries and cancel the request. The Manager returns to the Administration | Certificate Management screen. (See Figure 11-1.)
Install | Certificate Type | Cut and Paste Text
To install the certificate using the manual method, cut and paste the certificate text into the Certificate Text window.
Figure 11-45 Administration | Certificate Management | Install | CA Certificate | Cut and Paste Text Screen
Figure 11-46 Administration | Certificate Management | Install | SSL Certificate | Cut and Paste Text Screen
Figure 11-47 Administration | Certificate Management | Install | SSL Certificate with Private Key| Cut and Paste Text Screen
Screen Elements
•Certificate Text — Paste the PEM or base-64 encoded certificate text from the clipboard into this window. If you are installing an SSL certificate with a private key, include the encrypted private key.
•Password — Enter a password for decrypting the private key. Use the same password you used to encrypt the private key when you exported it. (See Administration | Certificate Management | Export SSL Certificate.)
Note This field appears only if you are installing an SSL certificate with a private key.
•Interface — Choose the interface on which to install the certificate.
Note This field appears only if you are installing an SSL certificate.
•Install — Click to install the certificate on the VPN Concentrator.
•Cancel — Click to discard your entries and cancel the request. The Manager returns to the Administration | Certificate Management screen. (See Figure 11-1.)
Install | Certificate Type | Upload File from Workstation
If you want to install a certificate stored on your PC, use this screen to upload the certificate file to the VPN Concentrator.
Figure 11-48 Administration | Certificate Management | Install | CA Certificate | Upload File from Workstation Screen
Figure 11-49 Administration | Certificate Management | Install | SSL Certificate | Upload File from Workstation Screen
Figure 11-50 Administration | Certificate Management | Install | SSL Certificate with Private Key | Upload File from Workstation Screen
Screen Elements
•Filename / Browse — Enter the name of the certificate file that is on your PC. In a Windows environment, enter the complete pathname using MS-DOS syntax, for example: c:\Temp\certnew.cer. You can also click the Browse button to open a file navigation window, find the file, and select it.
•Password — Enter a password for decrypting the private key. Use the same password you used to encrypt the private key when you exported it. (See Administration | Certificate Management | Export SSL Certificate.)
Note This field appears only if you are installing an SSL certificate with a private key.
•Interface — Choose the interface on which to install the certificate.
Note This field appears only if you are installing an SSL certificate.
•Install — Click to install the certificate on the VPN Concentrator.
•Cancel — Click to discard your entries and cancel the request. The Manager returns to the Administration | Certificate Management screen. (See Figure 11-1.)
Configure SCEP
The SCEP Configuration parameters are available only for CA certificates that support SCEP enrollment.
Figure 11-51 Administration | Certificate Management | Configure SCEP
Screen Elements
•Enrollment URL — Enter the URL where the VPN Concentrator should send SCEP enrollment requests made to this CA. The default value of this field is the URL used to download this CA certificate.
•Polling Interval — If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request will enter polling mode. In polling mode, the VPN Concentrator re-sends the certificate request to the CA for a specified period until the CA responds or the process times out.
Enter the number of minutes the VPN Concentrator should wait between re-sends. The minimum number of minutes is 1; the maximum number of minutes is 60. The default value is 1.
•Polling Limit — Enter the number of times the VPN Concentrator should re-send an enrollment request if the CA does not issue the certificate immediately. The minimum number of re-sends is 0; the maximum number is 100. If you did not want any polling limit, (in other words, you want infinite re-sends), enter none.
View CRL Cache
This window shows details of CRLs cached on the VPN Concentrator issued by a particular CA. If you clicked the View All CRL Caches link on the Administration | Certificate Management window to invoke this window, then the window shows details of all CRLs cached on the VPN Concentrator.
Figure 11-52 Administration | Certificate Management | View CRL Cache (of a particular CA)
Figure 11-53 Administration | Certificate Management | View CRL Cache (of all CAs)
Screen Elements
•Number of Cached CRLs — The number of cached CRLs issued by a particular CA. Or, the number of cached CRLs issued by all CAs.
•Size of Cached CRLs (in bytes) — The total size of all the CRLs issued by a particular CA. Or, the total size of all the CRLs issued by all CAs.
•CRL Distribution Point — The location from which the CRL was retrieved.
•Cached Date — The date and time the CRL was retrieved.
•Next Update — The date and time when the CA is expected to issue an updated CRL.
Note During tunnel establishment the VPN Concentrator checks to see if the CRL associated with the connecting user is current. If the CRL has expired, the VPN Concentrator automatically reloads an updated CRL from that CA before attempting to validate the user.
•Size (bytes) — The size of the CRL.
View
The Manager displays this screen of certificate details when you click View for a certificate on the Administration | Certificate Management | Certificates screen. The details vary depending on the certificate content.
The content and format for certificate details are governed by ITU (International Telecommunication Union) X.509 standards, specifically, RFC 2459. The Subject and Issuer fields conform to ITU X.520.
This screen is read-only; you cannot change any information here.
Figure 11-54 Administration | Certificate Management | View Screen
Certificate Fields
A certificate contains some or all of the following fields:
Field
|
Content
|
Subject
|
The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same.
|
Issuer
|
The CA or other entity (jurisdiction) that issued the certificate.
Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen.
|
CN
|
Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.
For the VPN Concentrator self-signed SSL certificate, the default CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. You can customize this field to specify a fully-qualified domain name (FQDN). SSL compares this CN with the address you use to connect to the VPN Concentrator via HTTPS, as part of its validation.
|
OU
|
Organizational Unit: the subgroup within the organization (O).
|
O
|
Organization: the name of the company, institution, agency, association, or other entity.
|
L
|
Locality: the city or town where the organization is located.
|
SP
|
State/Province: the state or province where the organization is located.
|
C
|
Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.
|
Serial Number
|
The serial number of the certificate. Each certificate issued by a CA must be unique among all certificates issued by that CA. CRL checking uses this serial number.
|
Signing Algorithm
|
The cryptographic algorithm that the CA or other issuer used to sign this certificate.
|
Public Key Type
|
The algorithm and size of the certified public key.
|
Certificate Usage
|
The purpose of the key contained in the certificate, for example: digital signature, certificate signing, nonrepudiation, key or data encipherment, etc.
|
MD5 Thumbprint
|
A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate.
If you question a root certificate's authenticity, you can check this value with the issuer.
|
SHA1 Thumbprint
|
A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.
|
Validity
|
The time period during which this certificate is valid.
Format is MM/DD/YYYY at HH:MM:SS to MM/DD/YYYY at HH:MM:SS. Time uses 24-hour notation, and is local system time.
The Manager checks the validity against the VPN Concentrator system clock, and it flags expired certificates by issuing event log entries.
|
Subject Alternative Name (Fully Qualified Domain Name)
|
The fully qualified domain name for this VPN Concentrator that identifies it in this PKI. The alternative name is an optional additional data field in the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections.
|
CRL Distribution Point
|
All CRL distribution points from the issuer of this certificate.
|
•Back — Click to return to the Administration | Certificate Management screen.
Configure CA Certificate
This screen lets you refine the certificate acceptance policy and enable certificate revocation list (CRL) checking for CA certificates installed in the VPN Concentrator.
A certificate is normally expected to be valid for its entire validity period. However, if a certificate becomes invalid due to a name change, change of association between the subject and the CA, security compromise, etc., the CA revokes the certificate. Under X.509, CAs revoke certificates by periodically issuing a signed certificate revocation list (CRL), where each revoked certificate is identified by its serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the CRL to ensure that the certificate being verified has not been revoked.
CAs use LDAP and/or HTTP databases to store and distribute CRLs. They might also use other means, but the VPN Concentrator relies on LDAP or HTTP access.
Configuring CRL Checking
During IKE phase 1 negotiation, if CRL checking is enabled, the VPN Concentrator verifies the revocation status of the IKE peer certificate before allowing the tunnel to be established. CRLs exist on external servers maintained by Certificate Authorities. To verify the revocation status, the VPN Concentrator retrieves the CRL using one of the available CRL distribution points and checks the peer certificate serial number against the list of serial numbers in the CRL. If there are no matches, the VPN Concentrator assumes that the peer certificate has not been revoked.
The default is No CRL Checking. In this case, the VPN Concentrator neither retrieves a CRL nor performs revocation checking.
To enable CRL checking, choose the method to use to retrieve the CRL. A CRL distribution point is the location on a server from which a CRL can be downloaded.
You can configure the VPN Concentrator to retrieve the CRL from the distribution points specified in the certificate being checked, from a user-specified list of static CRL distribution points, or from a combination of these.
Enabling CRL Caching
Since the system has to fetch and examine the CRL from a network distribution point, enabling CRL checking might slow system response times. Also, if the network is slow or congested, CRL checking might fail. To mitigate these potential problems, you can enable CRL caching. This stores the retrieved CRLs in local volatile memory, thus allowing the VPN Concentrator to verify the revocation status of certificates more quickly.
With CRL Caching enabled, when the VPN Concentrator needs to check the revocation status of a certificate, it first checks whether the required CRL exists in the cache and checks the serial number of the certificate against the list of serial numbers in the CRL. The certificate is considered revoked if its serial number is found. The VPN Concentrator retrieves a CRL from an external server either when it does not find the required CRL in the cache, when the validity period of the cached CRL has expired, or when the configured refresh time has elapsed. When the VPN Concentrator receives a new CRL from an external server, it updates the cache with the new CRL. The cache can contain up to 64 CRLs.
The total memory allocated for all combined CRL caches varies by VPN Concentrator model. Model 3005 can cache up to 128 KB. Models 3015, 3020, and 3030 can cache up to 256 KB. Models 3060 and 3080 can cache up to 1 MB.
Note The CRL cache exists in memory, so rebooting the VPN Concentrator clears the CRL cache. The VPN Concentrator repopulates the CRL cache with updated CRLs as it processes new peer authentication requests.
Configure CA Certificate | Certificate Acceptance Tab
This tab lets you accept subordinate CA certificates and identity certificates.
Figure 11-55 Administration | Certificate Management | Configure CA Certificate Screen,
Certificate Acceptance Tab
Screen Elements
•Certificate — The certificate for which you are configuring the certificate acceptance policy.
•Certificate Acceptance Policy: Accept Subordinate CA Certificates — During Phase 1 processing, an IKE peer might pass both a subordinate certificate and an identity certificate. This subordinate certificate might not be installed on the VPN Concentrator. Check the Accept Subordinate CA Certificates check box to let the VPN Concentrator use such subordinate certificates for certificate path validation. Uncheck the check box to disallow the feature.
•Certificate Acceptance Policy: Accept Identity Certificates Signed by this Issuer — Check this box to allow the VPN Concentrator to accept identity certificates signed by this issuer. Uncheck the check box to disallow the feature. If you disallow the feature, the VPN Concentrator rejects any IKE peer certificate signed by this issuer.
Configure CA Certificate | CRL Retrieval Tab
The CRL retrieval tab let's you set CRL policies.
Figure 11-56 Administration | Certificate Management | Configure CA Certificate Screen,
CRL Retrieval Tab
Screen Elements
•Certificate — The certificate for which you are configuring the CRL retrieval policy.
CRL Retrieval Policy
Choose the appropriate option to enable or disable CRL checking on all certificates issued by this CA. The VPN Concentrator can:
•Use static CRL distribution points — Use up to five static CRL distribution points. If you choose this option, specify the LDAP or HTTP URLs on the CRL Protocol tab.
•Use CRL distribution embedded in the certificate being checked — The VPN Concentrator retrieves up to five CRL distribution points from the CRL Distribution Point extension of the certificate being verified and augments their information with the configured default values, if necessary. If the VPN Concentrator's attempt to retrieve a CRL using the primary CRL distribution point fails, it retries using the next available CRL distribution point in the list. This continues until either the VPN Concentrator retrieves a CRL or exhausts the list.
•Use CRL distribution points embedded in certificate being checked or else use static CRL distribution points — If the VPN Concentrator cannot find five CRL distribution points in the certificate, it adds static CRL distribution points, up to a limit of five.
•No CRL Checking — Do not enable CRL checking.
If you choose any of the options to enable CRL checking, configure the CRL Protocols next on the CRL Protocol tab.
Configure CA Certificate | CRL Protocol Tab
If you enabled CRL retrieval, define the CRL protocols here.
Figure 11-57 Administration | Certificate Management | Configure CA Certificate Screen,
CRL Protocol Tab
Screen Elements
•Certificate — The certificate for which you are configuring the CRL distribution points protocols.
•HTTP — Check this box to support using the HTTP distribution point protocol to retrieve the CRL.
Note If you check HTTP, be sure to assign HTTP rules to the public interface filter.
•LDAP — Check this box to support using the LDAP distribution point protocol to retrieve the CRL.
If you chose to support LDAP distribution points, enter the following information. If the distribution point extension of the certificate being checked is missing any of the following fields, the VPN Concentrator uses these values.
•Server — [Embedded distribution points only] Enter the IP address or hostname of the CRL distribution server (LDAP server). Maximum 32 characters.
•Port — [Embedded distribution points only] Enter the port number for the CRL server. Enter 0 (the default) to have the system supply the default port number, 389 (LDAP).
•Login DN — If your CRL server requires this field, enter the login DN (Distinguished Name). The Login DN defines the directory path to access this CRL database, for example: cn=crl,ou=certs,o=CANam,c=US. The maximum field length is 128 characters.
•Password — If your CRL server requires a password for the Login DN, enter it. Maximum 128 characters.
•Verify — Re-enter the password to verify it. Maximum 128 characters.
•LDAP or HTTP URLs — Enter HTTP or LDAP URLs that identify CRLs located on external servers. If you chose a CRL Retrieval Policy that uses static distribution points, you must enter at least one (and not more than five) valid URLs. Enter each URL on a single line. (Scroll right to enter longer values.) Examples of valid URLs are:
HTTP URL: http://1.1.1.2/CertEnroll/TestCA6-8.crl
LDAP URL: ldap://100.199.7.6:389/CN=TestCA6-8,CN=2KPDC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=qa2000,DC=com?certficateRevocationList?base?objectclass=cRLDistributionPoint
You must choose a CRL Retrieval Policy that uses static distribution points (the second option, Use static CRL distribution points, or the fourth option, Use CRL distribution points embedded in certificate being checked or else use static CRL distribution points) on the Configure CA Certificate | CRL Retrieval Tab before configuring URLs in this field. If neither of these CRL Retrieval options is selected, the Manager does not save these URLs.
Configure CA Certificate | CRL Caching Tab
The CRL Caching tab lets you enable and set policies for CRL caching.
Figure 11-58 Administration | Certificate Management | Configure CA Certificate Screen,
CRL Caching Tab
Screen Elements
•Certificate — The certificate for which you are configuring the CRL caching policy.
•CRL Caching: Enabled — Check this box to allow the VPN Concentrator to cache retrieved CRLs. The default is not to enable CRL caching. Disabling CRL caching (unchecking the check box) clears the CRL cache.
•CRL Caching: Refresh Time — Specify the refresh time in minutes for the CRL cache. The range is 5 to 1440 minutes; the default value is 60 minutes.
Enter 0 to use the Next Update field, if present, in the cached CRL. If the Next Update field is not present in the CRL, the CRL is not cached.
•CRL Caching: Enforce Next Update — The Enforce Next Update feature allows you to control how the VPN Concentrator responds to users authenticating with certificates when the CRL associated with those certificates is outdated.
When a user attempts to authenticate using a digital certificate, the VPN Concentrator looks for the most recent CRL associated with that certificate. The VPN Concentrator checks the Next Update field in its current CRL to determine if a newer CRL might be available. If the Next Update date is current, the VPN Concentrator uses the CRL to authenticate the user. However, if the date has lapsed, the VPN Concentrator contacts the certificate authority to request a newer CRL.
The certificate authority sends another CRL. The new CRL might or might not be more recent. If the Next Update field in the new CRL is current, the VPN Concentrator uses the new CRL to authenticate the user. However, it can happen that the certificate authority returns another CRL with an outdated Next Update field. If the Next Update date in this new CRL has already past, the VPN Concentrator can either use that CRL or not, depending on how you configure the Enforce Next Update option.
It is also possible that a CRL might not have a Next Update field.
Check the Enforce Next Update check box to require a current CRL. If enabled, the VPN Concentrator rejects CRLs that do not have Next Update fields and CRLs for which the Next Update field has lapsed.
Uncheck the box if you want the VPN Concentrator to be able to use CRLs without a Next Update field or CRLs for which the Next Update field has lapsed.
•Apply — Click to configure the CA Certificate parameters for this certificate. The Manager returns to the Administration | Certificate Management screen.
•Cancel — Click to discard your settings. The Manager returns to the Administration | Certificate Management screen.
Delete
The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management screen. The screen shows the same certificate details as on the Administration | Certificate Management | View screen.
Please note:
•You must delete CA certificates from the bottom up: identity first, then subordinate CA, then root CA certificates last. Otherwise, the Manager displays an error message.
•If the certificate is in use by an SA or referenced in an active enrollment request, the Manager displays an error message.
Figure 11-59 Administration | Certificate Management | Delete Screen
Screen Elements
•Fields — For a description of the fields in this certificate, see "Certificate Fields" under the Administration | Certificate Management | "View" topic.
•Yes — Click to delete this certificate.
Note There is no undo.
The Manager returns to the "Administration | Certificate Management" screen and shows the remaining certificates.
•No — Click to retain this certificate. The Manager returns to the Administration | Certificate Management screen, and the certificates are unchanged.
Renewal
Certificate renewal is a shortcut that allows you to generate an enrollment request based on the content of an existing certificate.
When you renew a certificate via SCEP, the new certificate does not automatically overwrite the original certificate. It remains in the Enrollment Request table until you manually activate it.
Use this screen to re-enroll or re-key a certificate. If you re-enroll the certificate, the new certificate uses the same key pair as the expiring certificate. If you re-key the certificate, it uses a new key pair.
Figure 11-60 Administration | Certificate Management | Renewal
Screen Elements
•Certificate — This field displays the type of certificate that you are re-enrolling or re-keying.
•Renewal Type — Choose the type of request:
–Re-enrollment = Use the same key pair as the expiring certificate.
–Re-key = Use a new key pair.
•Enrollment Method — Choose an enrollment method:
–PKCS10 Request (Manual) = Enroll using the manual process.
–Certificate Name via SCEP = Enroll automatically using this SCEP CA.
•Challenge Password — Your CA might have given you a password as a means of verifying your identity. If you have a password from your CA, enter it here.
If you did not receive a password from your CA, choose a password now. You can use this password in the future to identify yourself to your CA.
•Verify Challenge Password — Re-type the challenge password you just entered.
•Renew — Click to renew the certificate.
•Cancel — Click to discard your settings.
Activate or Re-Submit | Status
This status screen appears after you activate or re-submit an enrollment request.
If you are installing an SSL certificate with a private key, include the encrypted private key.
Figure 11-61 Administration | Certificate Management | Re-Submit | Status Screen
Screen Elements
•Status — Displays the status of your enrollment request:
–Installed = The CA returned the certificate and it has been added to the certificate store.
–Rejected = The CA refused to issue a certificate.
–Polling = The CA has pended the approval request; or, CA is unavailable.
–Error = There has been an error processing the enrollment request.
•Go to Certificate Management — Click if you want to view the certificate request. The Manager displays the Administration | Certificate Management screen. (See Figure 11-1.)
•Go to Certificate Enrollment — Click if you want to enroll another certificate. The Manager displays the Administration | Certificate Management | Enroll screen. (See Figure 11-33.)
•Go to Certificate Installation — Click if you want to install the certificate you have just enrolled. The Manager displays the Administration | Certificate Management | Install screen. (See Figure 11-41.)
Generate SSL Certificate
This screen lets you configure fields for SSL certificates the VPN Concentrator generates automatically. These SSL certificates are for interfaces and for load balancing.
Note If you are configuring your VPN Concentrator to work with Citrix MetaFrame, change the SSL certificate CN field to a fully-qualified domain name (FQDN) rather than an IP address.
Figure 11-62 Administration | Certificate Management | Generate SSL Certificate Screen
Screen Elements
•Fields — For an explanation of each of the fields on this screen, see the descriptions under Enroll | Certificate Type | PKCS10.
•Choose the RSA Keysize — Choose the RSA key size according to what your CA supports and the level of security you want. The choices are: 2048-bits, 1024-bits, 768-bits, and 512-bits. The larger the key size, the more secure it is.
•Generate — Click to create the SSL Certificate.
•Cancel — Click to stop the operation and return to the Administration | Certificate Management screen.
Export SSL Certificate
This screen lets you copy an SSL certificate from this interface to another or from this VPN Concentrator to another for load balancing or VRRP.
Figure 11-63 Administration | Certificate Management | Export SSL Certificate Screen
Screen Elements
•Enter Password — Enter a password for encrypting the private key.
•Verify Password — Retype the password to verify it.
•Cancel — Click to cancel the operation and return to the Administration | Certificate Management screen.
•Export — Click to view the certificate. A new browser window appears, displaying the certificate. (See Figure 11-64.)
Figure 11-64 Sample SSL Certificate Export
You can now copy the certificate text, or save it to a file; then, install the certificate on the appropriate interface or VPN Concentrator.
Generate SSH Host Key
This screen allows you to generate a new SSH Host key. To access the VPN Concentrator via SSH, the VPN Concentrator must have a host key. Only one key is required. The VPN Concentrator generates a host key automatically during reboot or upgrade, by taking the public/private key pair from the SSL certificate. If you want a stronger key, or if the original key has been in any way compromised, use this screen to generate a new one.
Figure 11-65 Administration | Certificate Management | Generate SSH Host Key Screen
Screen Elements
•Choose the RSA Keysize — Choose the RSA key size according to what your CA supports and the level of security you desire. The choices are: 2048-bits, 1024-bits, 768-bits, and 512-bits. The larger the key size, the more secure it is.
•Generate — Click to create a new SSH Host key.
•Cancel — Click to cancel the operation and return to theAdministration | Certificate Management screen.
View Enrollment Request
This screen allows you to view the details of an enrollment request.
Figure 11-66 Administration | Certificate Management | View Enrollment Request Screen
Enrollment Request Fields
An enrollment request contains some or all of the following fields:
Field
|
Content
|
Subject
|
The person or system that uses the certificate.
|
Issuer
|
The CA or other entity from whom the certificate is being requested.
Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen.
|
CN
|
Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.
For the VPN Concentrator self-signed SSL certificate, the default CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. You can customize this field to specify a fully-qualified domain name (FQDN). SSL compares this CN with the address you use to connect to the VPN Concentrator via HTTPS, as part of its validation.
|
OU
|
Organizational Unit: the subgroup within the organization (O).
|
O
|
Organization: the name of the company, institution, agency, association, or other entity.
|
L
|
Locality: the city or town where the organization is located.
|
SP
|
State/Province: the state or province where the organization is located.
|
C
|
Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.
|
Public Key Type
|
The algorithm and size of the public key that the CA or other issuer used in generating this certificate.
|
Request Usage
|
The type of certificate: Identity or SSL.
|
MD5 Thumbprint
|
A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.
|
SHA1 Thumbprint
|
A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.
|
Generated
|
The date the request was initiated.
|
Enrollment Type
|
The type of enrollment: initial, re-enroll, or re-key.
|
Enrollment Method
|
The method of enrollment: SCEP or manual.
|
Enrollment Status
|
The current status of the enrollment: complete, rejected, error, and so on.
|
•Back — Click to display the Administration | Certificate Management screen.
Cancel Enrollment Request
This screen shows you the details of the enrollment request and allows you to cancel it.
You can cancel only a SCEP enrollment request, and you can do so only when the request is in polling mode. Once a request is cancelled, you can then remove it, re-submit it, or view its details.
Figure 11-67 Administration | Certificate Management | Cancel Enrollment Request Screen
Screen Elements
•Fields — For a description of the fields in this enrollment request, see "Enrollment Request Fields" under View Enrollment Request.
•Yes — Click to cancel this enrollment request. There is no undo.
The Manager returns to the Administration | Certificate Management screen.
•No — Click to retain this enrollment request. The Manager returns to the Administration | Certificate Management screen, and the enrollment requests are unchanged.
Delete Enrollment Request
This screen shows you details of the enrollment request and allows you to delete it. Deleting an enrollment request removes it from the Enrollment Request table (on the Administration | Certificate Management page) and destroys all record of it.
Figure 11-68 Administration | Certificate Management | Delete Enrollment Request
Screen Elements
•Fields — For a description of the fields in this enrollment request, see "Enrollment Request Fields" under View Enrollment Request.
•Yes — Click to delete this enrollment request. There is no undo.
The Manager returns to the Administration | Certificate Management screen and shows the remaining enrollment requests.
•No — Click to retain this enrollment request. The Manager returns to the Administration | Certificate Management screen, and the enrollment requests are unchanged.
