Group and certificate association configuration, Ca key update – Panasonic NN46110-600 User Manual

84 Chapter 3 Using certificates

Group and certificate association configuration

This feature provides finer control for a user to associate a certificate with a group
for IPsec tunnel connections. Each Certificate Authority user can set up a lookup
table between the certificate subject DN and a VPN Router group. When a new
tunnel using the certificate is authenticated, the VPN Router uses the certificate's

subject DN to look up the group in the table. If there is a match (or partial match),

the new tunnel binds to the group specified in the table.

If no match is found in the lookup table, the new tunnel is bound to the default
group if it is configured and if the Allow All feature is turned on. Otherwise, the
tunnel is denied.

All the attributes (Lookup Table, Allow All, and default group) are CA-specific.
To configure the Group and Certificate Lookup Table:

1

Select the

CA

.

2

Click

Details

.

3

Click

Add

under

Group Access Control

. Use a partial Subject DN (omitting

one or more left most fields) to simplify the configuration. You can select

Relative

or

Full

to specify the partial Subject DN. Relative automatically

generates the DN string. If it exists in the certificate's subject DN, do not omit

any field in the middle, such as o=Nortel or st=MA.

4

Click

OK

.

CA key update

The CA key update provides uninterrupted certificate authenticated user and
Branch Office tunnel connections before, during, and after the Entrust Key Update
function is performed by the CA in a given PKI environment. You can perform a
key update for security or other reasons. Figure 14 shows a CA Key Update ready
for authentication.

NN46110-600