|
|
This chapter describes how to enroll and manage digital certificates for the VPN Client for Mac OS X, specifically how to perform the following tasks:
To get started with certificates, open the Certificates tab on the main VPN Client window in advanced mode. The Certificates tab lists the certificates you currently have enrolled. If there are no certificates showing, you need to enroll with a CA or contact your system administrator.
The VPN Client uses the notion of store to convey a location in your local file system for storing personal certificates. The main store for the VPN Client is the Cisco store, which contains certificates enrolled through the Simple Certificate Enrollment Protocol (SCEP), and certificates that have been imported from a file.
The Certificates tab on the main VPN Client window displays the list of certificates in your certificate store (Figure 6-1).
For each certificate, the following information is listed:
Your system administrator may have already set up your VPN Client with digital certificates. If not, or if you want to add certificates, you can obtain a certificate by enrolling with a Certificate Authority (CA).
To enroll a digital certificate you must enroll using the PKI Framework standards, receive approval from the CA, and have the certificate installed on your system.
You can enroll a digital certificate:
To enroll a digital certificate for user authentication
Step 2 Click Enroll at the top of the VPN Client window. The Certificate Enrollment dialog box appears.
Step 3 Choose a certificate enrollment type.
Figure 6-2 shows the Certificate Enrollment Dialog Box.
Step 4 Enter the enrollment parameters.
Base-64—The default, is an ASCII-encoded PKCS10 file that you can display because it is in a text format. Use this type when you want to cut and paste the text into the CA's website.
Binary—a base-2 PKCS10 (Public-Key Cryptography Standards) file. You cannot display a binary-encoded file
Step 5 Click Next to continue with certificate enrollment. The Certificate Enrollment dialog box appears (Figure 6-3).
Step 6 Enter the remaining certificate enrollment parameters. All fields are required unless they are grayed out. Table 6-1 describes the entry fields.
Table 6-1 Certificate Enrollment Parameters
Step 7 Click Enroll to enroll a certificate from a CA, Go Back to review previous certificate enrollment parameters, or Cancel.
The certificate enrollment is listed in the certificate store as a request. To resume a certificate enrollment request, right-click and choose Resume Certificate Enrollment. Alternately, you can resume an enrollment from the Certificates menu.
A prompt indicates whether the certificate enrollment is successful (Figure 6-4).
If the certificate enrollment is not successful, contact your network administrator.
While a request is pending approval by the CA administration, the VPN Client places the enrollment request in the list on the Certificates tab. You can view, delete, or change the password for any request in the list; or you can retry a network enrollment request. To perform any of these actions, select the pending enrollment request and click on the Certificate menu.
To display the enrollment request
Step 2 Choose View from the Certificates menu.
Step 3 The VPN Client displays the pending request. The Issuer field shows the subject name and not the name of the CA, since the CA has not yet issued the certificate.
 |
Tip You can also change the certificate request password from the View dialog box. |
To delete an enrollment request
Step 2 Choose Delete from the Certificates menu.
The VPN Client prompts you for a password.
Step 3 Enter the password in the Password field (if there is one) and click OK.
The VPN Client verifies the password. If the password is correct, the VPN Client deletes the request.
To change the certificate password on an enrollment request
Step 2 Choose Change Certificate Password from the Certificates menu.
The VPN Client displays the Certificate Password dialog box (Figure 6-5).
Step 3 Enter the current password and click OK.
Step 4 At the prompt, enter the new password and click OK.
Step 5 At the next prompt, enter the new password again to verify it and click OK.
The VPN Client responds with a success message.
 |
Note You can also change the password from the View dialog box. |
To retry a pending online enrollment request
Step 2 Choose Retry Client Enrollment. from the Certificates menu.
The VPN Client prompts you to enter a password. This password must match the password you are using to protect the certificate's private key, if any.
Step 3 Enter the password and click OK to resume the enrollment request.
A network administrator might place a certificate in a file. This certificate must be imported in to the certificate store before you can use it for authenticating the VPN Client to a VPN device.
To import a certificate from a file
Step 2 Click Import at the top of the VPN Client window. The Import Certificate dialog box appears (Figure 6-6).
Step 3 Enter the import path.
If you do not know the location, browse to the folder where the certificate is located and click Open on the browser window. The import path is automatically entered in the Import Certificate dialog box.
Step 4 Enter the import password—This is the password used to protect the certificate file, called the import password, and is assigned by the system administrator.
Step 5 Enter the New Password—This is the password assigned by you to protect the certificate while it is in your certificate store. This password is optional but we recommend that you always protect your certificate with a password.
Step 6 Verify the New Password again.
Step 7 Click Import. The certificate is installed in the VPN Client certificate store.
To view the contents of a certificate in the certificate store
Step 2 Select the certificate to view.
Step 3 Click View at the top of the VPN Client window or double-click the certificate. The Certificate Properties window appears (Figure 6-7).
A typical digital certificate contains the following information:
Other items might be included in the Subject, depending on the certificate.
Step 4 Click Close to return to the VPN Client window.
To export a certificate from the certificate store to a specified file
Step 2 Select the certificate to export.
Step 3 Click Export at the top of the VPN Client window. The Export Certificate dialog box appears (Figure 6-8).
Step 4 Enter the export path.
If you do not know the export path, browse to the export directory and click Open on the browser window. The export path is automatically entered in the Export Certificate dialog box.
Step 5 To export the entire certificate chain, check the box next to this parameter.
Step 6 Enter a password to protect the exported certificate file. We recommend that you always enter a password to protect your certificates.
Step 7 Verify the exported certificate file password.
Step 8 Click Export. The certificate is copied to the selected directory and a prompt (Figure 6-9) indicates whether the export is successful.
Step 9 Click OK to return to the VPN Client window.
You can delete any certificate from your certificate store. You must provide a password to delete an enrollmnet certificate.
 |
Caution You cannot retrieve a certificate that has been deleted. |
To delete a user or root certificate
Step 2 Select the certificate to delete.
Step 3 Click Delete at the top of the VPN Client window. A warning prompt appears (Figure 6-10).
Step 4 Verify the name of the certificate and click Delete. The selected certificate is deleted from the certificate store.
Click Do not Delete to return to the VPN Client window without deleting the selected certificate.
To delete an enrollment certificate
Step 2 Select the enrollment certificate to delete.
Step 3 Click Delete at the top of the VPN Client window. The Certificate Password dialog box appears (Figure 6-11).
Step 4 Enter the Certificate Password for the selected certificate to delete.
The Certificate Password is the password assigned by you to protect the certificate while it is in your certificate store. This is the password set in the New Password field when you enrolled this certificate. See the "Enrolling Certificates" section.
Step 5 Click OK. The certificate is deleted from the certificate store.
To verify that a certificate is valid:
Step 2 Click Verify at the top of the VPN Client window. A prompt appears (Figure 6-12) to indicate the validity of the certificate.
Step 3 Click OK to return to the VPN Client window.
If your certificate is invalid, contact the network administrator for instructions.
To view personal (root) certificates issued by either a Certificate Authority (CA) or a Registration Authority (RA), use the Show/Hide CA/RA Certificates option from the Certificates menu.
To change the password on a personal certificate
Step 2 Display the Certificates menu and choose Change Certificate Password
The VPN Client displays the Change Certificate Password dialog box. In the Current field, type the password you are currently using to protect your private key.
Step 3 In the New field, type the new password.
Step 4 In the Confirm field, type the same password again.
Step 5 Click OK.
Posted: Fri Apr 11 16:50:20 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
