|
|
This chapter describes how to enroll and manage digital certificates for the VPN client for Mac OS X.
The VPN client uses the notion of store to convey a location in your local file system to store personal certificates. The main store for the VPN client is the Cisco store.
The Certificates tab on the VPN client window displays the list of certificates in your certificate store (Figure 6-1).
For each certificate, the following information is listed:
The Cisco store contains certificates enrolled through the Simple Certificate Enrollment Protocol (SCEP) and certificates that have been imported from a file.
Your system administrator may have already set up your VPN client with digital certificates. If not, or if you want to add certificates, you can obtain a certificate by enrolling with a Certificate Authority (CA).
To enroll a digital certificate you must enroll using the PKI Framework standards, receive approval from the CA, and have the certificate installed on your system.
You can enroll a digital certificate:
To enroll a digital certificate for user authentication:
Step 2 Click Enroll at the top of the VPN client window. The Certificate Enrollment dialog box appears (Figure 6-2).
Step 3 Choose a certificate enrollment type.
From the drop-down menu, choose the encoding type for the output file
Step 4 Enter the certificate enrollment parameters. All fields are required unless they are grayed out. Table 6-1 describes the entry fields.
| Entry Field | Description |
|---|---|
The full path name for the file request. For example, /Users/Anna/Documents/Certificates/mycert.p10. This field is only available when you select a File enrollment type. |
|
The common name for the certificate. The common name can be the name of a person, system, or other entity. It is the most specific level in the identification hierarchy. The common name becomes the name of the certificate. For example, Fred Flinstone. |
|
The Fully Qualified Domain Name (FQDN) of the host for your system. For example, Dialin_Server. |
|
The user e-mail address for the certificate. email@company.com |
|
The IP address of the user's system. For example, 192.168.23.9 |
|
The VPN group that this user belongs to. This field correlates to the Organizational Unit (OU). The OU is the same as the Group Name configured in a VPN 3000 Series Concentrator, for example. |
|
The 2-letter country code for your country. For example, US. This two-letter country code must conform to ISO 3166 country abbreviations. |
|
Some CAs require that you enter a password to access their site. Enter this password in the Challenge Phrase field. You can obtain the challenge phrase from your administrator or from the CA. |
|
The URL or network address of the CA. For example, http://198.162.41.9/certsrv/mcep/mcep.dll. |
|
The password for this certificate. Each digital certificate is protected by a password. If you create a connection entry that requires a digital certificate for authentication, you must enter the certificate password each time you attempt a connection. |
Step 5 Click Enroll to enroll a certificate from a CA. A prompt indicates whether the certificate enrollment is successful (Figure 6-3).
If the certificate enrollment is not successful, contact your network administrator.
A network administrator might place a certificate in a file. This certificate must be imported in to the certificate store before you can use it for authenticating the VPN client to a VPN device.
To import a certificate from a file:
Step 2 Click Import at the top of the VPN client window. The Import Certificate dialog box appears (Figure 6-4).
Step 3 Enter the path to the certificate you want to import. If you do not know the location, browse to the folder in which the certificate is located and click Open on the browser window. The import path is automatically entered in the Import Certificate dialog box.
To import a digital certificates you need two different passwords.
Step 4 Enter the import password.
Step 5 Enter a password to protect the certificate while it is in the VPN client certificate store.
Step 6 Verify the certificate store password.
Step 7 Click Import. The certificate is installed in the VPN client certificate store.
To view the contents of a certificate in the certificate store:
Step 2 Select the certificate you want to view.
Step 3 Click View at the top of the VPN client window or double-click the certificate. The Certificate Properties window appears (Figure 6-5).
A typical digital certificate contains the following information:
Other items might be included in the Subject, depending on the certificate.
Step 4 Click Close to return to the VPN client window.
To export a certificate from the certificate store to a specified file:
Step 2 Click Export at the top of the VPN client window. The Export Certificate dialog box appears (Figure 6-6).
Step 3 Enter the path for the export certificate. If you do not know the export path, browse to the export directory and click Open on the browser window. The export path is automatically entered in the Export Certificate dialog box.
Step 4 To export the entire certificate chain, check the box next to this parameter.
Step 5 Enter a password to protect the exported certificate file. We recommend that you always enter a password to protect your certificates.
Step 6 Verify the exported certificate file password.
Step 7 Click Export. The certificate is copied to the selected directory and a prompt (Figure 6-7) indicates whether the export is successful.
Step 8 Click OK to return to the VPN client window.
To delete a certificate from your certificate store:
Step 2 Click Delete at the top of the VPN client window. A warning prompt appears (Figure 6-8).
 |
Caution You cannot retrieve a certificate that has been deleted. |
Step 3 Verify the name of the certificate and click Delete. The selected certificate is deleted from the certificate store.
Click Do not Delete to return to the VPN client window without deleting the selected certificate.
To verify that a certificate is valid:
Step 2 Click Verify at the top of the VPN client window. A prompt appears (Figure 6-9) to indicate the validity of the certificate.
Step 3 Click OK to return to the VPN client window.
If your certificate is invalid, contact the network administrator for instructions.
Posted: Mon Dec 23 16:26:06 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
