Certificate management, Enrolling and installing digital certificates – Cisco VPN 3002 User Manual

Page 142

Advertising
background image

12-16

VPN 3002 Hardware Client Reference

OL-1893-01

Chapter 12 Administration

Certificate Management

Certificate Management

Digital certificates are a form of digital identification used for authentication. Certificate Authorities
(CAs) issue them in the context of a Public Key Infrastructure (PKI), which uses public-key/private-key
encryption to ensure security. CAs are trusted authorities who “sign” (issue) certificates to verify their
authenticity.

A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called a root
certificate
; one issued by another CA certificate is called a subordinate certificate. CAs also issue
identity certificates, which are the certificates for specific systems or hosts. There can be up to six root
or subordinate CA certificates (including supporting RA certificates) but only one identity certificate on
a VPN 3002.

The VPN 3002 supports X.509 digital certificates (International Telecommunications Union
Recommendation X.509), including SSL (Secure Sockets Layer) certificates that are self-signed or
issued in a PKI context.

The VPN 3002 stores digital certificates and private keys in Flash memory. You do not need to click
Save Needed

to store them, and they are not visible under Administration | File Management. All stored

private keys are encrypted.

The VPN 3002 can have only one SSL certificate installed. If you generate a self-signed SSL certificate,
it replaces any installed PKI-context SSL certificate; and vice-versa.

Enrolling and Installing Digital Certificates

To obtain a digital certificate for the VPN 3002 you must first enroll with a CA. To enroll with a CA,
create an enrollment request and submit it to your CA. The CA enrolls the VPN 3002 into the PKI and
issues you a certificate. Once you have the certificate, you then have to install it on the VPN 3002.

Note

You must first install a CA certificate before you enroll identity certificates from that CA.

You can enroll and install digital certificates on the VPN 3002 automatically or manually. The automatic
method
uses the Simple Certificate Enrollment Protocol (SCEP) to streamline enrollment and
installation. SCEP is a secure messaging protocol that requires minimal user intervention. This method
is quicker and allows you to enroll and install certificates using only the Manager, but is only available
if you are both enrolling with a CA that supports SCEP and enrolling via the web. If your CA does not
support SCEP or if you do not have network connectivity to your CA, then you cannot use the automatic
method; you must use the manual method.

The manual method involves more steps. You can do some of the steps using the Manager. Other steps
require that you exchange information with the CA directly. (You deliver your enrollment request and
receive the certificate from the CA via the Internet, email, or a floppy disk.)

Whether you use the automatic or manual method, you follow the same overall certificate management
procedure:

Step 1

Install one or more CA certificates.

Step 2

Enroll and install identity and SSL certificates.

Step 3

Enable digital certificates on the VPN 3002.

Advertising