Table Of Contents
Certificate Management
The Role of Time
Maximum Number of Certificates
Configuring Digital Certificates: SCEP and Manual Methods
Tasks Summary
Managing Certificates with SCEP
Obtaining and Installing CA Certificates Automatically Using SCEP
Changing SCEP Parameters
Enrolling and Installing Identity Certificates Automatically Using SCEP
Enrolling and Installing Certificates Manually
Obtaining and Installing CA Certificates Manually
Creating an Enrollment Request for an Identity Certificate Manually
Requesting an Identity Certificate from a CA Manually
Installing the Identity Certificate on the VPN Concentrator Manually
Obtaining SSL Certificates
Enabling CRL Checking and Caching
Enabling Digital Certificates on the VPN Concentrator
Enabling Digital Certificates for Remote Access Connections
Enabling Digital Certificates for IPSec LAN-to-LAN Connections
Deleting Digital Certificates
Administration | Certificate Management
Screen Elements
Certificate Authorities Table
Identity Certificates Table
SSL Certificates Table
SSH Host Key Table
Enrollment Status Table
Enroll
Screen Elements
Enroll | Certificate Type
Screen Elements
Enroll | Certificate Type | PKCS10
Screen Elements
Enrollment or Renewal | Request Generated
Screen Elements
Enroll | Identity Certificate | SCEP
Screen Elements
Enroll | SSL Certificate | SCEP
Screen Elements
Install
Screen Elements
Install | Certificate Obtained via Enrollment
Screen Elements
Install | Certificate Type
Screen Elements
Install | CA Certificate | SCEP
Screen Elements
Install | Certificate Type | Cut and Paste Text
Screen Elements
Install | Certificate Type | Upload File from Workstation
Screen Elements
Configure SCEP
Screen Elements
View CRL Cache
Screen Elements
View
Certificate Fields
Configure CA Certificate
Configuring CRL Checking
Enabling CRL Caching
Configure CA Certificate | Certificate Acceptance Tab
Screen Elements
Configure CA Certificate | CRL Retrieval Tab
Screen Elements
Configure CA Certificate | CRL Protocol Tab
Screen Elements
Configure CA Certificate | CRL Caching Tab
Screen Elements
Delete
Screen Elements
Renewal
Screen Elements
Activate or Re-Submit | Status
Screen Elements
Generate SSL Certificate
Screen Elements
Export SSL Certificate
Screen Elements
Generate SSH Host Key
Screen Elements
View Enrollment Request
Enrollment Request Fields
Cancel Enrollment Request
Screen Elements
Delete Enrollment Request
Screen Elements
Certificate Management
Digital certificates are a form of digital identification used for authentication. A digital certificate contains information that identifies a device or user, such as the name, serial number, company, department, or IP address. Certificate Authorities (CAs) issue digital certificates in the context of a Public Key Infrastructure (PKI), which uses public-key/private-key encryption to ensure security. CAs are trusted authorities that "sign" certificates to verify their authenticity, thus guaranteeing the identity of the device or user.
A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called a root certificate; one issued by another CA certificate is called a subordinate certificate. CAs also issue identity certificates, which are the certificates for specific systems or hosts.
For authentication using digital certificates, there must be at least one identity certificate (and its root certificate) on a given VPN Concentrator; there may be more. The maximum number of CA and identity certificates allowed depends on the VPN Concentrator model. Model 3005 allows a maximum of 6 root or subordinate CA certificates (including supporting RA certificates) and 2 identity certificates. The other VPN Concentrator models allow a maximum of 20 root or subordinate CA certificates (including supporting RA certificates) and 20 identity certificates.
The VPN Concentrator supports X.509 digital certificates (International Telecommunications Union Recommendation X.509), including SSL (Secure Sockets Layer) certificates that are self-signed or issued in a PKI context.
The VPN Concentrator stores digital certificates and private keys in Flash memory. You do not need to click Save Needed to store them, and they are not visible under Administration | File Management. All stored private keys are encrypted.
After you install an identity certificate on the VPN Concentrator, it is available in the Digital Certificate list for configuring IPSec LAN-to-LAN connections and IPSec SAs. See Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN and Configuration | Policy Management | Traffic Management | Security Associations.
You can also configure the VPN Concentrator to store certificate revocation list (CRL) information in volatile memory (RAM). CRL caching can potentially speed up the process of verifying the revocation status of certificates. With CRL caching enabled, when the VPN Concentrator needs to check the revocation status of a certificate, it first checks whether the required CRL exists in the cache and has not expired. Then the VPN Concentrator checks the serial number of the certificate against the list of revoked serial numbers in the CRL. If a match exists, the authentication fails. For detailed information about CRL caching, see the section "Enabling CRL Checking and Caching".
The VPN Concentrator can have one SSL certificate installed per interface: private, public, and external. The interface SSL certificates, if non-existent, are automatically generated when the VPN 3000 Concentrator reboots after you upgrade the VPN 3000 Concentrator software. If you generate a self-signed SSL certificate, it replaces any installed PKI-context SSL certificate; and vice-versa.
For information on using SSL certificates, see the information on obtaining SSL certificates in this chapter. See also Chapter 1, "Using the VPN Concentrator Manager" of the VPN 3000 Series Concentrator Reference Volume I: Configuration, and also Chapter 15, "Tunneling and Security."
The Role of Time
Digital certificates are time-sensitive in the following ways:
•
Digital certificates indicate the time frame during which they are valid. Therefore, it is essential that the time on the VPN 3000 Concentrator is correct and synchronized with network time.
•You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.
Maximum Number of Certificates
For authentication with digital certificates, a VPN Concentrator must have at least one CA certificate and one identity certificate, but it can have more. The model 3005 can have six root or subordinate CA certificates and two identity certificates. The other VPN Concentrator models can have 20 root or subordinate CA certificates and 20 identity certificates.
Configuring Digital Certificates: SCEP and Manual Methods
To use digital certificates for authentication, you first enroll with a Certificate Authority (CA), and obtain and install a CA certificate on the VPN Concentrator. Then you enroll and install an identity certificate from the same CA.
You can enroll and install digital certificates on the VPN Concentrator in either of two ways:
•Using Cisco's Simple Certificate Enrollment Protocol (SCEP).
SCEP is a secure messaging protocol that requires minimal user intervention. SCEP is the quicker method, and it lets you to enroll and install certificates using only the VPN Concentrator Manager. To use SCEP, you must enroll with a CA that supports SCEP, and you must enroll via the Internet.
•Manually, exchanging information with the CA directly.
The manual method involves more steps. You can do some of the steps using the Manager. Other steps require that you exchange information with the CA directly. You deliver your enrollment request and receive the certificate from the CA via the Internet, email, or storage media such as a CD or a floppy disk.
Note If you install a CA certificate using the manual method, you must also use the manual method to request identity or SSL certificates from that CA. Conversely, to request identity and SSL certificates using SCEP, you must first use SCEP to obtain the CA certificate.
Tasks Summary
Whether you use SCEP or the manual method, you perform the following tasks to obtain and install certificates:
1. Obtain and install one or more CA certificate(s).
2. Create an enrollment request for one or more identity certificates.
3. Request an identity certificate from the same CA that issued the CA certificate(s).
4. Install the identity certificate on the VPN Concentrator.
5. Enable CRL checking and caching.
6. Enable certificates.
About the Documentation
The PDF version of this guide provides step-by-step examples of configuring digital certificates using SCEP and manually, and with both LAN-to-LAN and remote access connections, beginning with the next section, "Managing Certificates with SCEP."
The online Help and the PDF version both provide detailed information on the parameters for each of the Manager screens that you use to configure digital certificates.
Managing Certificates with SCEP
The following sections provide step-by-step instructions for using SCEP to enroll and install digital certificates.
Obtaining and Installing CA Certificates Automatically Using SCEP
To use SCEP to enroll for identity or SSL certificates, you must also use SCEP to obtain the associated CA certificate. The Manager does not let you enroll for a certificate from a CA unless that CA certificate was installed using SCEP. A certificate that is obtained via SCEP and therefore capable of issuing other SCEP certificates, is called SCEP-enabled.
Tip To obtain CA certificates using SCEP, you need to know the URL of your CA. Find out your CA's SCEP URL before beginning the following steps.
Step 1 Using the VPN Concentrator Manager, display the Administration | Certificate Management screen. (See Figure 11-1.)
Figure 11-1 Administration | Certificate Management Screen
Step 2 Click Click here to install a CA certificate.
Note The Click here to install a CA certificate option is available from this window only when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. Then click Install CA Certificate.
The Manager displays the Administration | Certificate Management | Install | CA Certificate screen. (See Figure 11-2.)
Figure 11-2 Administration | Certificate Management | Install | CA Certificate
Step 3 Click SCEP (Simple Certificate Enrollment Protocol). The Manager displays the Administration | Certificate Management | Install | CA Certificate | SCEP screen. (See Figure 11-3.)
Figure 11-3 The Administration | Certificate Management | Install | CA Certificate | SCEP Screen
Step 4 Fill in the fields and click Retrieve.
•URL: Enter the URL of the CA's SCEP interface.
•CA Descriptor: Some CAs use descriptors to further identify the certificate. If your CA gave you a descriptor, enter it here. Otherwise enter a descriptor of your own. You must enter something in this field.
•Retrieve / Cancel:
–To retrieve a CA certificate from the CA and install it on the VPN Concentrator, click Retrieve.
–To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 11-1.)
The Manager installs the CA certificate on the VPN Concentrator and displays the Administration | Certificate Management screen. Your new CA certificate appears in the Certificate Authorities table.
Changing SCEP Parameters
To change SCEP parameters for a certificate, follow these steps:
Step 1 In the Administration | Certificate Management screen, click the SCEP link associated with the certificate (under Actions in the Certificate Authorities table). The Administration | Certificate Management | Configure CA Certificate | SCEP screen displays.
Step 2 Edit one or more parameters.
•Enrollment URL: Enter the URL where the VPN Concentrator should send SCEP enrollment requests made to this CA. The default value of this field is the URL used to download this CA certificate.
•Polling Interval: If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request enters polling mode. In polling mode, the VPN Concentrator re-sends the certificate request to the CA for a specified period until the CA responds or the process times out.
Enter the number of minutes the VPN Concentrator should wait between re-sends. The minimum number of minutes is 1; the maximum number of minutes is 60. The default value is 1
•Polling Limit: Enter the number of times the VPN Concentrator should re-send an enrollment request if the CA does not issue the certificate immediately. The minimum number of re-sends is 0; the maximum number is 100. If you did not want any polling limit, (in other words, you want infinite re-sends), enter none.
Step 3 Click Apply.
Note If you have trouble enrolling or installing digital certificates via SCEP, enable both the CLIENT and CERT event classes to assist in troubleshooting.
Enrolling and Installing Identity Certificates Automatically Using SCEP
Follow these steps for each identity certificate you want to obtain:
Step 1 Display the Administration | Certificate Management screen. (See Figure 11-1.)
Step 2 Click Click here to enroll with a Certificate Authority. The Manager displays the Administration | Certificate Management | Enroll screen. (See Figure 11-4.)
Figure 11-4 Administration | Certificate Management | Enroll Screen
Step 3 Click Identity Certificate. The Manager displays the Administration | Certificate Management | Enroll | Identity Certificate screen. (See Figure 11-5.)
Figure 11-5 Administration | Certificate Management | Enroll | Identity Certificate Screen
Notice that a link appears corresponding to each SCEP-enabled CA certificate on the VPN Concentrator. The title of the link depends on the name of the CA certificate: Enroll via SCEP at Certificate Name. For example, if you have a CA certificate on your VPN Concentrator named "TestCA6-8," the following link appears: Enroll via SCEP at TestCA6-8.
If you do not see any Enroll via SCEP options, there are no SCEP-enabled CA certificates on the VPN Concentrator. Follow the steps in the "Obtaining and Installing CA Certificates Automatically Using SCEP" section to obtain a CA certificate via SCEP before you proceed.
Step 4 Click Enroll via SCEP at Certificate Name. The Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen displays. (See Figure 11-6.)
Figure 11-6 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Screen
Step 5 Fill in the fields and click Enroll. (For information on the fields on this screen, see Enroll | Certificate Type | PKCS10.) The VPN Concentrator sends the certificate request to the CA.
If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request could enter polling mode. In polling mode, the VPN Concentrator re-sends the certificate request to the CA a specified number of times at regular intervals until the CA responds or the process times out. (For information on configuring the polling limit and interval, see the Administration | Certificate Management | Configure CA Certificate | SCEP screen.) The certificate request appears in the Enrollment Status table on the Administration | Certificate Management screen until the CA responds. Once the CA responds and issues the certificate, the VPN Concentrator installs it automatically.
If the CA responds immediately, the Manager installs the identity certificate on the VPN Concentrator and displays the Administration | Certificate Management | Enrollment | Request Generated screen.
(See Figure 11-7.)
Figure 11-7 Administration | Certificate Management | Enrollment | Request Generated Screen
Click Go to Certificate Management. The Manager displays the Administration | Certificate Management screen. Your new identity certificate appears in the Identity Certificates table.
Enrolling and Installing Certificates Manually
The following sections provide step-by-step instructions for enrolling and installing digital certificates manually.
Obtaining and Installing CA Certificates Manually
Certificate authorities are trusted entities that "sign" certificates to verify their authenticity. A CA certificate is one used to sign other certificates. You obtain CA certificates according to the procedures of individual CAs.
Step 1 You can obtain a CA certificate via email, storage media such as a CD or a floppy disk, or over the Internet. Retrieve a CA certificate according to the policies and procedures of your CA, and download it to your management work station.
Step 2 To install the CA certificate, begin at the VPN Concentrator Manager Administration | Certificate Management screen. When you begin, there are no entries in the Certificate Authorities, Identity Certificates, SSL Certificates, or Enrollment Status fields.
Figure 11-8 Administration | Certificate Management Screen
Step 3 Click Click here to install a CA certificate. The Administration | Certificate Management | Install screen displays.
Note The Click here to install a CA certificate option is available from this screen only when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. Then click Install CA certificate.
Figure 11-9 Administration | Certificate Management | Install Screen
Step 4 Click Install CA Certificate. The Administration | Certificate Management | Install | CA Certificate screen displays.
Figure 11-10 Administration | Certificate Management | Install | CA Certificate Screen
Step 5 Click Upload File from Workstation or Cut and Paste Text, depending on how you have retrieved the CA certificate. The Manager displays a screen appropriate to your choice.
Step 6 Include certificate information according to your chosen method.
Step 7 Click Install. The Manager installs the CA certificate on the VPN Concentrator. You return to the Administration | Certificate Management screen, which now displays the newly installed CA certificate.
Figure 11-11 Administration | Certificate Management Screen with CA Certificates Installed
Creating an Enrollment Request for an Identity Certificate Manually
An enrollment request for an identity certificate consists of a base 64 encoded PKCS#10 file that the VPN Concentrator generates based on information you provide in the steps that follow.
Note You must get the identity certificate for a LAN-to-LAN connection from the same CA that issued its CA certificate.
Step 1 In the Administration | Certificate Management screen (Figure 11-1), click Click here to enroll with a Certificate Authority. The Administration | Certificate Management | Enroll screen displays.
Figure 11-12 Administration | Certificate Management | Enroll Screen
Step 2 Click Identity certificate. The Administration | Certificate Management | Enroll |
Identity Certificate screen displays.
Figure 11-13 Administration | Certificate Management | Enroll | Identity Certificate Screen
Step 3 Click Enroll via PKCS10 Request (Manual). The Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen displays.
Figure 11-14 Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen
Step 4 Enter values in each of the fields on this screen. Enroll | Certificate Type | PKCS10 defines these fields.
Step 5 When you have finished, click Enroll.
The Administration | Certificate Management | Enroll | Request Generated screen displays (Figure 11-15).
Figure 11-15 Administration | Certificate Management | Enroll | Request Generated Screen
The Manager displays this screen when the system has successfully generated a certificate request.
Note You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.
As the screen text indicates, within a few seconds, a browser window opens with the certificate request.
Figure 11-16 Example of a Certificate Request
You have generated a base 64 encoded PKCS#10 file (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in Flash memory with the filename shown in the browser (pkcsNNNN.txt).
In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN Concentrator in encrypted form.
Step 6 Save the enrollment request in one of the following ways:
•Save the request to a file (to transmit the file to the CA via email or storage media such as a CD or a floppy disk).
•Select and copy the request to the clipboard, and then paste the request into an email to the CA.
•Copy and paste the request into the CA's management interface via the Internet.
Some CAs let you paste the request in a web interface, some ask you to send a file; use the method your CA requires.
Step 7 Close this browser window when you have finished.
Requesting an Identity Certificate from a CA Manually
Next you submit the identity request to a CA. This must be the same CA that issued the CA certificate for this LAN-to-LAN connection. Submit the request and retrieve an identity certificate according to the procedures of your CA.
Installing the Identity Certificate on the VPN Concentrator Manually
The following steps provide instructions on installing an Identity certificate on the VPN Concentrator.
Step 1 From the Administration | Certificate Management screen, click Click here to install a certificate to navigate to the Administration | Certificate Management | Install screen.
Figure 11-17 Administration | Certificate Management | Install Screen
Step 2 Click Install certificate obtained via enrollment. The Administration | Certificate Management | Install certificate obtained via enrollment screen displays.
Figure 11-18 Administration | Certificate Management | Install certificate obtained via enrollment Screen
Step 3 In the Actions column of the Enrollment Status table, click Install. The Administration | Certificate Management | Install Identity Certificate screen displays.
Figure 11-19 Administration | Certificate Management | Install Identity Certificate Screen
Step 4 Choose either installation method: Cut & Paste Text or Upload File from Workstation.
Step 5 The Manager displays a screen appropriate to your choice. Include the certificate information according to your chosen method. Click Install. The Manager installs the identity certificate on the VPN Concentrator and displays the Administration | Certificate Management screen. Your new identity Certificate appears in the Identity Certificates table.
Step 6 Confirm that the Issuer fields for Certificate Authorities and Identity Certificates match for this LAN-to-LAN connection. You must get the Identity certificate and the CA certificate from the same CA.
Obtaining SSL Certificates
If you use a secure connection between your browser and the VPN Concentrator, the VPN Concentrator requires an SSL certificate. You also need an SSL certificate on the interface that you use to manage the VPN Concentrator and for WebVPN, and for each interface that terminates WebVPN tunnels.
The interface SSL certificates, if non-existent, are automatically generated when the VPN 3000 reboots after you upgrade the VPN 3000 Concentrator software. Because a self-signed certificate is self-generated, this certificate is not verifiable. No CA has guaranteed its identity. But this certificate lets you make initial contact with the VPN Concentrator using the browser. If you want to replace it with another self-signed SSL certificate, follow these steps:
Step 1 Display the Administration | Certificate Management screen. (See Figure 11-1.)
Step 2 Click Generate above the SSL Certificate table. The new certificate displays in the SSL Certificate table, replacing the existing one.
If you want to obtain a verifiable SSL certificate (that is, one issued by a CA), follow the same procedure you use to obtain identity certificates. (See the "Enrolling and Installing Identity Certificates Automatically Using SCEP" section or the "Creating an Enrollment Request for an Identity Certificate Manually" section.) But this time, on the Administration | Certificate Management | Enroll screen, click SSL certificate (instead of Identity certificate).
Some web servers export their SSL certificates with the private key attached. If you have a PEM-encoded certificate with a corresponding private key that you want to install, follow the same procedure you used to obtain identity certificates. (See the "Enrolling and Installing Identity Certificates Automatically Using SCEP" section.) But this time, on the Administration | Certificate Management | Installation screen, click Install SSL certificate with private key (instead of Install certificate obtained via enrollment).
Enabling CRL Checking and Caching
When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a particular certificate before this time period expires. Certificates can be revoked for many reasons, such as security concerns or a change of name or association. CAs periodically issue a signed list of certificates that have been revoked and are no longer valid. This list is called a certificate revocation list (CRL). To ensure that received peer certificates are valid, configure the VPN Concentrator to check them against the CRL. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the latest CRL to ensure that the certificate being verified has not been revoked.
The VPN Concentrator supports LDAP and HTTP CRLs.
Since the system has to obtain and examine the CRL from a network distribution point, enabling CRL checking might slow system response times. Also, if the network is slow or congested, CRL checking might fail.
To avoid having to retrieve the same CRL from a CA again and again, the VPN Concentrator can store retrieved CRLs locally. Storing CRLs locally is called CRL caching. All VPN 3000 Concentrator platforms have a caching limit of 64 CRLs. CRL cache sizes for the VPN Concentrator are vary across platforms.
VPN Concentrator
|
CRL Cache Size
|
VPN 3005
|
128KB
|
VPN 3015, 3020, 3030
|
256 KB
|
VPN 3060, 3080
|
1 MB
|
Follow these steps to enable CRL checking and caching on the VPN Concentrator:
Step 1 On the Administration | Certificate Management screen, in the Certificate Authorities table, click Configure next to the CA certificate for which you want to enable CRL checking. The Manager displays the Administration | Certificate Management | Configure CA Certificate screen. For information on these tabs and fields, see the "Configure CA Certificate" section or online Help.
Step 2 Click the CRL Retrieval tab.
Figure 11-20 Administration | Certificate Management | Configure CA Certificate Screen,
CRL Retrieval Tab
Step 3 CRL checking is disabled by default. Choose the method to use to retrieve the CRL.
Step 4 Click the CRL Protocol tab.
Figure 11-21 Administration | Certificate Management | Configure CA Certificate,
CRL Protocol Tab
Step 5 Choose the distribution point protocol to use to retrieve the CRL: HTTP and/or LDAP. (If both protocols are enabled and a single certificate contains both protocols, the VPN Concentrator uses the first protocol listed in the certificate.)
a. If you enabled the HTTP distribution point protocol, assign these two HTTP rules to the filter for the interface that connects to the server: Outgoing HTTP In (forward/in); Outgoing HTTP Out (forward/out).
b. If you enabled the LDAP distribution point protocol:
–Assign these two LDAP rules to the filter for the interface that connects to the server: CRL over LDAP (out); CRL over LDAP (in).
–[Embedded distribution points only] Enter the hostname or IP address of the server in the Server field.
–[Embedded distribution points only] Enter the server's port number in the Port field.
–If your server requires these fields, enter the Login DN and Password. Verify the password.
c. Enter the static URL(s) to use to retrieve the CRL from the server.
Step 6 To enable CRL caching, click the CRL Caching tab.
Figure 11-22 Administration | Certificate Management | Configure CA Certificate,
CRL Caching Tab
Step 7 Check the Enabled check box.
Step 8 In the Refresh Time field, specify a time period for updating the CRL.
Step 9 Check Enforce Next Update if you want to require valid CRLs to have a Next Update value that has not yet lapsed in time.
Step 10 Click Apply. The Manager displays the Administration | Certificate Management screen.
Enabling Digital Certificates on the VPN Concentrator
Note Before you enable digital certificates on the VPN Concentrator, you must obtain at least one root and one identity certificate. If you do not have a root and an identity certificate installed on your VPN Concentrator, follow the steps in the previous sections before beginning this section.
For the VPN Concentrator to use the digital certificates you obtained, you must enable authentication using digital certificates. Table 11-1 outlines this procedure.
Table 11-1 Enabling Digital Certificates on the VPN Concentrator
For Remote Access Sessions
|
For IPSec LAN-to-LAN Connections
|
1. Edit and activate an IKE proposal.
2. Configure an SA to use that IKE proposal and a particular identity certificate.
3. Configure the group to use that SA.
|
1. Edit and activate an IKE proposal.
2. Configure the LAN-to-LAN connection to use that IKE proposal.
3. Configure the LAN-to-LAN connection to use a particular identity certificate.
|
Enabling Digital Certificates for Remote Access Connections
To enable digital certificates for remote access connections, you must first edit and activate the appropriate IKE proposal:
Step 1 Display the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen.
(See Figure 11-23.)
Step 2 Select an IKE proposal (or create a new one) for which you want to enable digital certificates.
Figure 11-23 Configuration | System | Tunneling Protocols | IPSec | IKE Proposals Screen
Step 3 Click Modify (or Add). The Manager displays the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Modify (or Add) screen. (See Figure 11-24.)
Figure 11-24 Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Modify Screen
Step 4 Click the Authentication Mode drop-down menu. Choose any of the Digital Certificates options.
Step 5 Click Apply (or Add). The Manager returns to the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. (See Figure 11-23.)
Step 6 Verify that the IKE proposal you just edited is in the Active Proposals column. If it is not, select the proposal and click << Activate.
Next, follow these steps to configure the SA:
Step 1 Display the Configuration | Policy Management | Traffic Management | Security Associations screen. (See Figure 11-25.)
Figure 11-25 Configuration | Policy Management | Traffic Management | Security Associations Screen
Step 2 Do one of the following:
•To edit an existing SA, select an SA on the IPSec SA list and click Modify.
•To create a new SA, click Add.
The Manager displays the Configuration | Policy Management | Traffic Management | Security Associations | Modify (or Add) screen. (See Figure 11-26.)
Figure 11-26 Configuration | Policy Management | Traffic Management | Security Associations | Modify (or Add) Screen
Step 3 Under IKE Parameters, choose the digital certificate you want to use from the Digital Certificate drop-down menu.
Step 4 Select a Certificate Transmission option. If you want the VPN Concentrator to send the peer the identity certificate and all issuing certificates (including the root certificate and any subordinate CA certificates), click Entire certificate chain. If you want to send the peer only the identity certificate, click Identity certificate only.
Step 5 Choose the name of the IKE proposal you just configured from the IKE Proposal drop-down menu.
Step 6 Click Apply (or Add). The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen.
Finally, follow these steps to configure the group to use the SA:
Step 1 Display the Configuration | User Management | Groups screen. (See Figure 11-27.)
Figure 11-27 Configuration | User Management | Groups Screen
Step 2 Do one of the following:
•To edit an existing group, select a group on the Current Groups list and click Modify Group.
•To create a new group, click Add Group.
The Manager displays the Configuration | User Management | Groups | Modify (or Add) screen.
Step 3 Click the IPSec tab. (See Figure 11-28.)
Figure 11-28 Configuration | User Management | Groups | Modify (or Add) Screen, IPSec Tab
Step 4 Choose the name of the SA you just configured from the IPSec SA drop-down menu.
Step 5 Click Apply (or Add). The Manager displays the Configuration | User Management | Groups screen.
Step 6 Click the Save Needed icon to save your changes.
Enabling Digital Certificates for IPSec LAN-to-LAN Connections
To enable digital certificates for IPSec LAN-to-LAN connections, first edit and activate the appropriate IKE proposal. (Follow steps 1-6 in the "Enabling Digital Certificates for Remote Access Connections" section.) Then continue, following these steps:
Step 1 Display the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen. (See Figure 11-29.)
Figure 11-29 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN Screen
Step 2 Select the LAN-to-LAN connection (or create a new one) for which you want to enable digital certificates.
Step 3 Click Modify (or Add). The Manager displays the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify (or Add) screen. (See Figure 11-30.)
Figure 11-30 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify Screen
Step 4 Click the Digital Certificate drop-down menu and choose a digital certificate to use for this LAN-to-LAN connection.
Step 5 Select a Certificate Transmission option. If you want the VPN Concentrator to send the peer the identity certificate and all issuing certificates (including the root certificate and any subordinate CA certificates), click Entire certificate chain. If you want to send the peer only the identity certificate, click Identity certificate only.
Step 6 Click the IKE Proposal drop-down menu and choose an activate IKE proposal that is configured for digital certificate authentication.
Step 7 Click Modify (or Add). The Manager returns to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen. (See Figure 11-29.)
Step 8 Click the Save Needed icon to save your changes.
Deleting Digital Certificates
Delete digital certificates in the following order:
1. Identity or SSL certificates
2. Subordinate certificates
3. Root certificates
Note You cannot delete a certificate if it is in use by an SA, if it is the issuer of another installed certificate, or if it is referenced in an active certificate request.
Follow these steps to delete certificates:
Step 1 Display the Administration | Certificate Management screen. (See Figure 11-1.)
Step 2 Find the certificate you want to delete and click Delete. The Administration | Certificate Management | Delete screen appears.
Figure 11-31 Administration | Certificate Management | Delete Screen
Step 3 Click Yes. The Manager returns to the Administration | Certificate Management window.
Administration | Certificate Management
This section of the Manager shows outstanding enrollment requests and all the certificates installed on the VPN Concentrator, and it lets you manage them.
The links at the top of this screen guide you step-by-step through the process of enrolling and installing certificates.
•To install a CA certificate (via SCEP or manually), click on Click Here to Install a CA Certificate.
Note The Click Here to Install a CA Certificate option is only available from this window when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install. Then click Install CA Certificate.
•To create an SSL or identity certificate enrollment request, click on Click Here to Enroll with a Certificate Authority.
•To install the certificate obtained via enrollment, click on Click Here to Install a Certificate.
The VPN Concentrator notifies you (by issuing a severity 3 CERT class event) if any of the installed certificates are within one month of expiration.
The Manager displays this screen each time you install a digital certificate.
Figure 11-32 Administration | Certificate Management Screen
Screen Elements
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
Certificate Authorities Table
This table shows root and subordinate CA certificates installed on the VPN Concentrator.
•View All CRL Caches — Click this link to see details of all CRLs cached on the VPN Concentrator.
•Clear All CRL Caches — Click this link to delete all the CRLs cached on the VPN Concentrator and force a cache refresh.
When you delete a CRL from the cache, the next authentication attempt updates it. Use this option to force a cache refresh.
•Current — The actual number of CA certificates installed on the VPN Concentrator.
•Maximum — The maximum possible number of CA certificates allowed on this VPN Concentrator. This limit varies by VPN Concentrator model.
•Subject/Issuer — The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See Administration | Certificate Management | View.
•Expiration — The expiration date of the certificate. The date format is MM/DD/YYYY.
•SCEP Issuer — In order for a certificate to be available for SCEP enrollment, it must be installed via SCEP. This field indicates if the certificate is SCEP-enabled.
–Yes = This certificate can issue identity and SSL certificates via SCEP.
–No = This certificate cannot issue certificates via SCEP.
Note If you want to use a certificate for SCEP enrollment, but that certificate is not SCEP-enabled, reinstall it using SCEP.
Actions
This column allows you to manage particular certificates. The actions available vary with type and status of the certificate.
•View — View details of this certificate.
•Configure — Enable CRL (Certificate Revocation List) checking for this CA certificate, configure CRL caching, or enable acceptance of subordinate CA certificates.
•Delete — Delete this certificate from the VPN Concentrator.
•SCEP — View or configure SCEP parameters for this certificate.
•Show RAs — SCEP-enabled CA certificates sometimes have supporting (RA) certificates. View details of these certificates. (Only available for CA certificates.)
•Hide RAs — Hide the details of the RA certificates.
Identity Certificates Table
This table shows installed identity certificates.
•Current — The actual number of identity certificates installed on the VPN Concentrator.
•Maximum — The maximum possible number of identity certificates allowed on this VPN Concentrator. This limit varies by VPN Concentrator model.
•Subject/Issuer, Expiration, Actions — Refer to the explanation of these fields for CA certificates, above.
SSL Certificates Table
This table shows the SSL server certificate installed on the VPN Concentrator. The system can have one SSL server certificate for each interface, private, public, and external. It can be either a self-signed certificate or one issued in a PKI context. If load balancing is enabled, an SSL load balancing certificate is present as well.
To generate a self-signed SSL server certificate, click Generate. The new certificate replaces any existing SSL certificate.
These fields appear in the SSL Certificates table:
•Interface — The interface on which this SSL certificate is installed.
•Subject/Issuer, Expiration — Refer to the explanation of these fields for CA certificates, above.
Actions
This column allows you to manage particular certificates. The actions available vary with type and status of the certificate.
•View — View details of this certificate.
•Renew — Generate a new enrollment request based on the content of this certificate.
•Delete — Delete this certificate from the VPN Concentrator.
•Export — Copy this certificate to another interface on this VPN Concentrator or to another VPN Concentrator. This option is useful if you are setting up load balancing or VRRP.
•Generate — Generate a new SSL certificate, with a new key.
•Enroll — Enroll this certificate with a CA.
•Import — Copy a certificate to this interface from another interface on this VPN Concentrator or from another VPN Concentrator. This option is useful if you are setting up load balancing or VRRP.
SSH Host Key Table
These fields appear in the SSH Host Key table:
•Key Size — The size (in bits) of the SSH host key.
•Key Type — The type of encryption of the SSH host key. (Only RSA is currently supported.)
•Date Generated — The generation date of the certificate.
•Actions:Generate — Generate a new SSH host key.
Enrollment Status Table
This table tracks the status of active enrollment requests.
The number of enrollment requests you can make at any given time is limited to the VPN Concentrator's identity certificate capacity. Most VPN Concentrator models allow a maximum of 20 identity certificates. Thus, for example, if you already have five identity certificates installed, you will only be able to create up to 15 enrollment requests. The VPN 3005 Concentrator is an exception, supporting only two identity certificates. On the VPN 3005 Concentrator only, you can request a third certificate, even if there are already two certificates installed, but the VPN Concentrator does not install this certificate immediately. First you must delete one of the existing certificates. Then, activate the new certificate to replace the one you just deleted.
The VPN Concentrator automatically deletes entries that have the status "Timed-out," "Failed," "Cancelled," or "Error" and are older than one week.
[Remove All]
Click a Remove All option to delete all enrollment requests of a particular status.
•Errored — Delete all enrollment requests with the status "Error."
•Timed-out — Delete all enrollment requests with the status "Timed-out."
•Rejected — Delete all enrollment requests with the status "Rejected."
•Cancelled — Delete all enrollment requests with the status "Cancelled."
•In Progress — Delete all enrollment requests with the status "In Progress."
Other Table Elements
•Current — The number of enrollment requests currently outstanding.
•Available — The number of enrollment requests still available.
•Subject/Issuer — Refer to the explanation of this field for CA certificates, above.
•Date — The original date of enrollment.
•Use — The type of certificate: identity or SSL.
•Reason — The type of enrollment: initial, re-enrollment, or re-key.
•Method — The method of enrollment: SCEP or manual.
•Status — Disposition of the enrollment request:
–In Progress = The request has been created, but the requested certificate has not yet been installed. This value is used only for PKCS10 (manual) enrollment requests.
–Polling = The CA did not immediately fulfill the enrollment request; the VPN Concentrator has entered polling mode. This value is used only for enrollment request created using SCEP.
–Timed-out = The SCEP polling cycle has ended after reaching the configured maximum number of retries. This value is used only for enrollment request created using SCEP.
–Rejected = The CA refused to issue the certificate. This value is used only for enrollment request created using SCEP.
–Cancelled = The certificate request was cancelled while the VPN Concentrator was in polling mode.
–Complete = The CA has fulfilled the renewal request. To bring this new certificate into service, click Activate.
–Error = An error occurred during the enrollment process. Enrollment was stopped.
–Submitting = The certificate request is being sent to the CA.
Actions
This column allows you to manage enrollments requests. The actions available vary with the type and status of the enrollment request.
•View — View details of this enrollment request.
•Install — Install the enrollment request. This action is available only for PKCS10 (manual) enrollment requests.
•Cancel — Cancel a request that is pending. This action is available only for SCEP enrollment requests with "Polling" status.
•Re-submit — Re-initiate SCEP communications with the CA or RA using the previously entered request information. This action is available only for SCEP enrollment requests.
•Activate — Bring this certificate into service.
•Delete — Delete an enrollment request from the VPN Concentrator.
Enroll
Choose whether you are creating an enrollment request for an identity certificate or an SSL certificate.
Figure 11-33 Administration | Certificate Management | Enrollment Screen
Screen Elements
•Identity Certificate — Click to create a certificate request for an identity certificate. The Manager displays the Administration | Certificate Management | Enroll | Identity Certificate screen.
•SSL Certificate — Click to create a certificate request for an SSL certificate. The Manager displays the Administration | Certificate Management | Enroll | SSL Certificate screen.
Enroll | Certificate Type
Choose the method for enrolling the (identity or SSL) certificate.
Figure 11-34 Administration | Certificate Management | Enroll | Identity Certificate Screen
Screen Elements
•Enroll via PKCS10 Request (Manual) — Click to enroll the certificate manually.
•Enroll via SCEP at [Name of SCEP CA] — Click to enroll the certificate automatically using SCEP.
You can enroll certificates using SCEP only if you installed the CA certificate using SCEP. One Enroll via SCEP link appears on this screen for each CA certificate on the VPN Concentrator that was installed using SCEP. To see which CA certificates on your VPN Concentrator were installed using SCEP, see the Certificate Authorities table on the Administration | Certificate Management screen. "Yes" in the SCEP Issuer column indicates that the CA certificate was installed using SCEP; "No" indicates it was installed manually. If no CA certificate on the VPN Concentrator was installed using SCEP, then no Enroll via SCEP link appears on this screen. You do not have the option of using SCEP to enroll the certificate.
•Install a new SA Using SCEP before Enrolling — Click if you want to install a certificate using SCEP, but no Enroll via SCEP link appears here. Install a CA certificate using SCEP, then return to this screen to install the certificate. A SCEP link now appears.
•Go back and choose a different type of certificate — Click to return to the Administration | Certificate Management | Enroll screen. (See Figure 11-33.)
Enroll | Certificate Type | PKCS10
To generate an enrollment request for an SSL or identity certificate, you need to provide information about the VPN Concentrator.
Figure 11-35 Administration | Certificate Management | Enroll | Identity Certificate via PKCS10 Screen
Screen Elements
•Common Name (CN) — The primary identity of the entity associated with the certificate, for example, Gateway A. Spaces are allowed. You must enter a name in this field.
•Organizational Unit (OU) — The name of the department or other organizational unit to which this VPN Concentrator belongs, for example: VPNC. Spaces are allowed.
Caution The value you enter in this field must match on both ends of the connection.
•Organization (O) — The name of the company or organization to which this VPN Concentrator belongs, for example: Cisco Systems. Spaces are allowed.
•Locality (L) — The city or town where this VPN Concentrator is located, for example: Westminster. Spaces are allowed.
•State/Province (SP) — The state or province where this VPN Concentrator is located, for example: Massachusetts. Spell the name out completely; do not abbreviate. Spaces are allowed.
•Country (C) — The country where this VPN Concentrator is located, for example: US. Use two characters, no spaces, and no periods. This two-character code must conform to ISO 3166 country codes.
•Subject Alternative Name (Fully Qualified Domain Name) (FQDN) — The fully qualified domain name that identifies this VPN Concentrator in this PKI, for example: Cisco.com. This field is optional. The alternative name is an additional data field in the certificate that provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections.
•Subject Alternative Name (E-mail Address) (E-mail) — The e-mail address of the VPN Concentrator administrator, for example: gatewaya@cisco.com.
•Challenge Password — Use this field according to the policy of your CA:
–Your CA might have given you a password. If so, enter it here for authentication.
–Your CA might allow you to provide your own password to identify yourself to the CA in the future. If so, create your password here.
–Your CA might not require a password. If not, leave this field blank.
Note This field (and the Verify Challenge Password field) display if you are requesting a certificate using SCEP. This field does not apply to manual certificate requests.
•Verify Challenge Password — Re-enter the password.
•Key Size — The algorithm for generating the public-key/private-key pair, and the key size. If you are requesting an SSL certificate, or if you are requesting an identity certificate using SCEP, only the RSA options are available.
–RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm. This key size provides sufficient security and is the default selection. It is the most common, and requires the
