Configuring the Cisco VPN 3000 Concentrator 4.1 to Get a Digital Certificate Using SCEP [Cisco VPN 3000 Series Concentrators]

Document ID: 11090

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Install Digital Certificates on the VPN Concentrator Using SCEP
Related Information

Introduction

This document includes step-by-step instructions on how to configure the Cisco VPN 3000 Series Concentrators to authenticate using digital certificates using Simple Certificate Enrollment Protocol (SCEP).

Prerequisites

Requirements

Please make sure that you meet these requirements before attempting this procedure:

If you are trying to install the certificates on the VPN 3000 Concentrator using SCEP using the Microsoft Certificate Server, make sure that you have installed the add-on package for SCEP before installation.
Before you apply and receive the certificates, make sure that your clock is set to the right date and time.
Make sure you have IP connectivity to the certificate server.

Components Used

The information in this document is based on Cisco VPN 3000 Series Concentrator 4.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Install Digital Certificates on the VPN Concentrator Using SCEP

Complete these steps:

To install the root certificate on the VPN 3000 Concentrator, select Administration > Certificate Management, and choose Click here to install a CA certificate.
Select SCEP (Simple Certificate Enrollment Protocol) as the method to get the Certification Authority (CA) certificates.
In the URL box, enter the complete URL of the CA server.

In the following example, the CA server has DNS name garrison (you can use the IP address if the VPN Concentrator is not configured for DNS). Since this example uses Microsoft's CA server, the complete URL is http://garrison/certsrv/mscep/mscep.dll.

Then, put a one-word descriptor in the CA Descriptor box. This example uses "CA".
Once you click Retrieve, you should see your CA certificate under Administration > Certificate Management. If you do not see a certificate, go back to step 1 and follow the procedure again.
Once you have the CA certificate, select Administration > Certificate Management > Enroll, choose Identity certificate and click Enroll via SCEP at ... to apply for the identity certificate.
On the next screen, fill out the Enrollment form.

The following example uses:
- Common Name (CN) = APT3000
- Organizational Unit (OU) = APT-TAC
- Organization (O) = Cisco
- Locality (L) = Chatswood
- State/Province (SP) = NSW
- Country(C) = AU
- Fully Qualified Domain Name (FQDN) = (not used here)
- Subject Alternative Name (Email Address) = admin@cisco.com
- Challenge Password = (not used here)
- Verify Challenge Password = (not used here)
- Key Size = 512
After selecting Enroll, you should see the SCEP Status in the Polling State. Go to your CA server to approve the identity certificate.
On the Microsoft CA server, bring up Certificate Authority and issue the pending certificate.
Once the identity certificate is issued, select Administration > Certificate Management to make sure that your VPN 3000 Concentrator has received it.

Note: For complete information about digital certificates see the Administration | Certificate Management section of the VPN 3000 Concentrator Series User Guide (in PDF).