Table of Contents
Managing CertificatesCertificate Stores
Enrolling Certificates
Importing a Certificate
Viewing a Certificate
Exporting a Certificate
Deleting a Certificate
Verifying a Certificate
Managing Certificates
This chapter describes how to enroll and manage digital certificates for the VPN client for Mac OS X.
Certificate Stores
The VPN client uses the notion of store to convey a location in your local file system to store personal certificates. The main store for the VPN client is the Cisco store.
The Certificates tab on the VPN client window displays the list of certificates in your certificate store (Figure 6-1).
Figure 6-1 Certificate Store
For each certificate, the following information is listed:
- Certificate—The name of the certificate.
- Store—The certificate store where this certificate resides. If you enroll a certificate from a Certificate Authority, the store is CA. If you import a certificate from a file, the store is Cisco.
- Key Size—The size, in bits, of the signing key pair.
- Validity—The date and time when this certificate expires.
The Cisco store contains certificates enrolled through the Simple Certificate Enrollment Protocol (SCEP) and certificates that have been imported from a file.
Enrolling Certificates
Your system administrator may have already set up your VPN client with digital certificates. If not, or if you want to add certificates, you can obtain a certificate by enrolling with a Certificate Authority (CA).
To enroll a digital certificate you must enroll using the PKI Framework standards, receive approval from the CA, and have the certificate installed on your system.
You can enroll a digital certificate:
To enroll a digital certificate for user authentication:
Step 1 Click the Certificates tab.
Step 2 Click Enroll at the top of the VPN client window. The Certificate Enrollment dialog box appears (Figure 6-2).
Figure 6-2 Certificate Enrollment
Step 3 Choose a certificate enrollment type.
From the drop-down menu, choose the encoding type for the output file
Step 4 Enter the certificate enrollment parameters. All fields are required unless they are grayed out. Table 6-1 describes the entry fields.
| Entry Field | Description |
|---|---|
|
The full path name for the file request. For example, /Users/Anna/Documents/Certificates/mycert.p10. This field is only available when you select a File enrollment type. |
|
|
The common name for the certificate. The common name can be the name of a person, system, or other entity. It is the most specific level in the identification hierarchy. The common name becomes the name of the certificate. For example, Fred Flinstone. |
|
|
The Fully Qualified Domain Name (FQDN) of the host for your system. For example, Dialin_Server. |
|
|
The user e-mail address for the certificate. email@company.com |
|
|
The IP address of the user's system. For example, 192.168.23.9 |
|
|
The VPN group that this user belongs to. This field correlates to the Organizational Unit (OU). The OU is the same as the Group Name configured in a VPN 3000 Series Concentrator, for example. |
|
|
The 2-letter country code for your country. For example, US. This two-letter country code must conform to ISO 3166 country abbreviations. |
|
|
Some CAs require that you enter a password to access their site. Enter this password in the Challenge Phrase field. You can obtain the challenge phrase from your administrator or from the CA. |
|
|
The URL or network address of the CA. For example, http://198.162.41.9/certsrv/mcep/mcep.dll. |
|
|
The password for this certificate. Each digital certificate is protected by a password. If you create a connection entry that requires a digital certificate for authentication, you must enter the certificate password each time you attempt a connection. |
Step 5 Click Enroll to enroll a certificate from a CA. A prompt indicates whether the certificate enrollment is successful (Figure 6-3).
Figure 6-3 Enrollment Complete
If the certificate enrollment is not successful, contact your network administrator.
Importing a Certificate
A network administrator might place a certificate in a file. This certificate must be imported in to the certificate store before you can use it for authenticating the VPN client to a VPN device.
To import a certificate from a file:
Step 1 Click the Certificates tab.
Step 2 Click Import at the top of the VPN client window. The Import Certificate dialog box appears (Figure 6-4).
Figure 6-4 Import Certificate
Step 3 Enter the path to the certificate you want to import. If you do not know the location, browse to the folder in which the certificate is located and click Open on the browser window. The import path is automatically entered in the Import Certificate dialog box.
To import a digital certificates you need two different passwords.
- The import password is used to protect the certificate file, and is assigned by the system administrator.
- The new password is assigned by you to protect the certificate while it is in your certificate store. This password is optional but we recommend that you always protect your certificate with a password.
Step 4 Enter the import password.
Step 5 Enter a password to protect the certificate while it is in the VPN client certificate store.
Step 6 Verify the certificate store password.
Step 7 Click Import. The certificate is installed in the VPN client certificate store.
Viewing a Certificate
To view the contents of a certificate in the certificate store:
Step 1 Click the Certificates tab.
Step 2 Select the certificate you want to view.
Step 3 Click View at the top of the VPN client window or double-click the certificate. The Certificate Properties window appears (Figure 6-5).
Figure 6-5 Certificate Properties
A typical digital certificate contains the following information:
- Common name—Name of the owner, usually both the first and last names. This field identifies the owner within the Public Key Infrastructure (PKI organization).
- Department—Name of the owner's department. This is the same as the organizational unit in the Subject field.
- Company—Company in which the owner is using the certificate. This is the same as the organization in the Subject field.
- State—State in which the owner is using the certificate.
- Country—2-character country code in which the owner's system is located.
- Email—E-mail address of the owner of the certificate.
- Thumbprint—An MD5 hash of the certificate's complete contents. This provides a means for validating the authenticity of the certificate. For example, if you contact the issuing CA, you can use this identifier to verify that this certificate is the correct one to use.
- Key size—Size of the signing key pair in bits.
- Subject—Fully qualified distinguished name (FQDN) of the certificate's owner. This field uniquely identifies the owner of the certificate in a format that can be used for LDAP and X.500 directory queries. A typical subject includes the following fields:
Other items might be included in the Subject, depending on the certificate.
- Issuer—Fully qualified distinguished name (FQDN) of the source that provided the certificate.
- Serial number—A unique identifier used for tracking the validity of the certificate on the Certificate Revocation Lists (CRLs).
- Not valid before—Beginning date that the certificate is valid.
- Not valid after—End date beyond which the certificate is no longer valid.
Step 4 Click Close to return to the VPN client window.
Exporting a Certificate
To export a certificate from the certificate store to a specified file:
Step 1 Click the Certificates tab.
Step 2 Click Export at the top of the VPN client window. The Export Certificate dialog box appears (Figure 6-6).
Figure 6-6 Export Certificate
Step 3 Enter the path for the export certificate. If you do not know the export path, browse to the export directory and click Open on the browser window. The export path is automatically entered in the Export Certificate dialog box.
Step 4 To export the entire certificate chain, check the box next to this parameter.
Step 5 Enter a password to protect the exported certificate file. We recommend that you always enter a password to protect your certificates.
Step 6 Verify the exported certificate file password.
Step 7 Click Export. The certificate is copied to the selected directory and a prompt (Figure 6-7) indicates whether the export is successful.
Figure 6-7 Successful Export Prompt
Step 8 Click OK to return to the VPN client window.
Deleting a Certificate
To delete a certificate from your certificate store:
Step 1 Click the Certificates tab.
Step 2 Click Delete at the top of the VPN client window. A warning prompt appears (Figure 6-8).
Figure 6-8 Delete Certificate Warning
 |
Caution You cannot retrieve a certificate that has been deleted. |
Step 3 Verify the name of the certificate and click Delete. The selected certificate is deleted from the certificate store.
Click Do not Delete to return to the VPN client window without deleting the selected certificate.
Verifying a Certificate
To verify that a certificate is valid:
Step 1 Click the Certificates tab.
Step 2 Click Verify at the top of the VPN client window. A prompt appears (Figure 6-9) to indicate the validity of the certificate.
Figure 6-9 Verify Certificate
Step 3 Click OK to return to the VPN client window.
If your certificate is invalid, contact the network administrator for instructions.