Enrolling and Managing Certificates

This chapter explains how to enroll and manage personal certificates, specifically, how to perform the following tasks:

Obtain personal certificates through enrollment with a certificate authority (CA), which is an organization that issues digital certificates that verify that you are who you say you are. (See Using Certificate Stores for a description of personal certificates.)
Import certificates
Manage certificates and enrollment requests

To get started with certificates, open the Certificates tab on the VPN Client main window in advanced mode (Figure 6-1). The Certificates tab lists the certificates you currently have enrolled. If there are no certificate showing, you need to enroll with a CA or contact your system administrator.

View—Displays the details of the currently selected certificate (for example, common name, department and so on)
Import—Imports a certificate from a file or certificate store
Export—Exports the currently selected certificate
Enroll—Enrolls for a certificate with a certificate authority via the network or a file
Verify—Checks to see if the currently selected certificate has expired
Delete—Removes the currently selected certificate or certificate request from the certificate store

Using Certificate Stores

A certificate store is a location in your local file system that contains personal certificates. The major store for the VPN Client is the Cisco store, which contains certificates you have enrolled for through the Simple Certificate Enrollment Protocol (SCEP). Your system also includes a Microsoft certificate store that may contain certificates that your organization provides or that you have installed previously. You can manage them just like the certificates in your Cisco store, or you can import them to your Cisco store. New certificates obtained through enrollment or importing go into the Cisco store.

There are two types of Microsoft certificates: certificates for individuals to use and a Microsoft certificate for your local PC itself. So, if several people are using the same PC, each person can have his or her own certificate, and there can also be a certificate for the local system on Windows 2000 and Windows XP. On a Windows 98 system, you can use only non-exportable certificates with Internet Explorer version 5.1 SP2.

The Certificates tab displays a list of the certificates currently in your certificate stores (Figure 6-1). The display shows the following information:

Certificate—The name of the certificate
Store—The name of the store that contains the certificate; this can be Cisco, Microsoft, Microsoft machine, Request, CA, or RA
Key Size—The size of the key pair in bits (512, 1024, and so on) that protects the certificate
Validity—Expiration date of the certificate

Enrolling for a Certificate

Your system administrator may have already set up your VPN Client with digital certificates. If not, or if you want to add certificates, you can obtain a certificate by enrolling with a Certificate Authority (CA) over the network or by creating a file request.

Enrolling Through the Network

When you enroll for a personal certificate, either you go through a CA from which your system already has a root certificate or you obtain a root certificate from the CA as part of the enrollment process. The CA Certificates tab displays the current list of CA certificates. (See Figure 6-1.)

Use this section to gather the information before you begin. To enroll for a certificate with a CA over the network, follow this procedure:

Step 2 Click Online as the certificate type. There are two forms to fill out.

CA URL—The URL or network address of the CA. This parameter is required.
CA Domain—The CA's domain name. This parameter is required.
Challenge Password—Some CA's require a password to access their site. If such is the case with this CA, enter the password in the Challenge Password field. To find out the password, contact the CA or your network administrator.
New Password—The password that protects this certificate. If your connection entry requires certificate authentication, you must enter this password each time you connect. The password can be up to 32 characters in length. Passwords are case sensitive. For example, sKate8 and Skate8 are different passwords.

Step 4 Click Next. The VPN Client displays page two of the enrollment request (Figure 6-3).

Common Name—Your common name (CN), which is the unique name for this certificate. This field is required. The common name can be the name of a person, system, or other entity; it is the most specific level in the identification hierarchy. The common name becomes the name of the certificate; for example, Alice Wonderland.
Department—The name of the department to which you belong; for example, International Studies. This field correlates to the Organizational Unit (OU). The OU is the same as the Group Name configured in a VPN 3000 Series Concentrator, for example.
Company—The name of the company or organization (O) to which you belong; for example, University.
State—The name of your state (ST); for example, Massachusetts.
Country—The 2-letter country code for your country (C); for example, US. This two-letter country code must conform to ISO 3166 country abbreviations.
Email—Your email address (e); for example, alicew@university.edu.
IP Address—The IP address of your system, for example, 10.10.10.1.
Domain—The Fully Qualified Domain Name of the host for your system; for example, Dialin_Server.

Together, all these fields except IP address and domain comprise your distinguished name (DN).

Step 5 To complete the enrollment, click Enroll. (Or to edit the form click Back).

Some CAs provide immediate response. If so, you see a message that your enrollment succeeded. You can view and manage the certificate under the Certificates tab.
If the enrollment status is Request pending, your CA does not immediately approve your request. You see a status pending pop up window (Figure 6-4).

While you are waiting for the CA to issue the certificate, your request appears in the certificates list under the Certificates tab as a request. (The store column shows "Request".)
When the CA issues your certificate, choose the certificate and then choose Retry Certificate Enrollment from the Certificates menu to complete the enrollment. (See Figure 6-5.)

After you have obtained the certificate, you see a message that your enrollment succeeded (Figure 6-6).

Enrolling Through a File Request

Alternatively, you can enroll by creating a file using much the same form as for online enrollment. (See Figure 6-3.) Once you have created a request file, you can either e-mail it to the CA and receive a certificate back or you can access the CA's Web site and cut and paste the enrollment request in the area that the CA provides.

Binary encoded—A base-2 PKCS10 file (Public Key Cryptography Standard; for example, an X.509 DER file). You cannot display a binary-encoded file.
Base 64 encoded—An ASCII-encoded PKCS10 file that you can display in text format (for example, the request shown in Figure 6-8). Choose this type when you want to cut and paste the text into the CA Web site.

When you browse for an appropriate directory for placing the file request, the Certificate Manager shows only the files of the chosen file type.

You can save your file enrollment requests in the Certificates directory, which is a subdirectory of the directory where the VPN Client is installed.

An example of a complete pathname is c:
\program files\cisco systems\vpn client\certificates\p10req3.p10.

Step 4 In the New Password field, enter the password that protects this certificate. If your connection entry requires certificate authentication, you must enter this password each time you connect. The password can be up to 32 characters in length. Passwords are case sensitive. For example, sKate8 and Skate8 are different passwords.

Step 5 Click Next. The VPN Client displays page two of the form. This form is the same as the one used for enrolling via the network. See "Enrolling Through the Network".

The VPN Client displays a message to let you know whether your request succeeded. If successful, the message contains the name of the file. (See Figure 6-9 and Figure 6-10.)

Managing Personal and CA/RA Certificates

From the Certificates menu (Figure 6-11) or the toolbar above the Certificates tab, you can perform the following tasks to manage personal and CA/RA certificates.

View a certificate
Verify that a certificate is still valid (within the dates assigned to it and has not been revoked)
Export a certificate to a file that you can e-mail
Delete a certificate
For personal certificates only, change the certificate password (Certificates menu only)
For personal certificates only, retry certificate enrollment
Show or hide CA/RA certificates

Viewing a Certificate

To display a certificate, select it in the certificate store, then do one of the following:

Open the Certificates menu and choose View
Click View on the toolbar above the Certificates tab
Double-click the certificate

Figure 6-12 shows a sample certificate from a Microsoft certificate service provider. This is only an example. Not all certificates are guaranteed to look like this one.

A typical certificate such as that shown in Figure 6-12 contains the following information.

Common Name—The name of the owner, usually the first name and last name. This field identifies the owner within the Public Key Infrastructure (PKI organization).
Department—The name of the owner's department, which is same as the Organizational Unit (OU). Note that when connecting to a VPN 3000 Concentrator, the OU should generally match the Group Name configured for the owner in the VPN 3000 Concentrator.
Company—The organization where the owner is using the certificate.
State—The state where the owner is using the certificate.
Country—The two-character country code where the owner's system is located.
Email—The email address of the owner of the certificate.
Thumbprint—The MD5 and SHA-1 hash to the certificate's complete contents. This provides a way to validate the certificate's authenticity. For example, if you contact the issuing CA, you can use this identifier to verify that this is the correct certificate to use.
Key Size—The size of the signing key pair in bits; for example, 1024.
Subject—The fully qualified distinguished name (DN) of certificate's owner. This specific example includes the following parts. Other items may be included, depending on the certificate type. However, these fields are fairly standard.

cn is the common name.
ou is the organizational unit (department)
o is the organization
l is the locality (city or town).
st is the state or province of the owner.
c is the country.
e is the email address of the owner.

Issuer—The fully qualified distinguished name (DN) of the source that provided the certificate. The fields in this example are the same as for Subject.
Serial Number—A unique identifier used for tracking the validity of the certificate on Certificate Revocation Lists (CRLs).
Not Before—The beginning date that the certificate is valid.
Not After—The end date beyond which the certificate is no longer valid.

Importing a Certificate File

You can import a certificate into the Cisco store from the Microsoft store or from a file. The procedures vary slightly.

Importing a Certificate from a File

The Certificate Manager displays the Import Certificate Source dialog box. (See Figure 6-13.)

Import Path—The complete pathname for the certificate. You can type the name or browse your file system to locate the file.
Import Password—This password must exactly match the password given during enrollment (online) or given when exported (if a file), including upper and lower case letters. For example, sKate8 is not exactly the same as Skate8. In online enrollment, this password is kept with the certificate; in file enrollment, this password is not retained.
New Password—The password to be stored with the certificate. Use this password to protect the certificate while it is in the certificate store. This password is optional but we recommend that you always protect your certificate with a password.
Verify Password—The password that you enter here must match what you entered in the New Password field.

Step 4 To complete the import request, click Import or to cancel your request click Cancel.

Importing a Certificate from the Microsoft Certificate Store

To import a certificate from the Microsoft Certificate store, use the following procedure:

The Certificate Manager displays the Import Certificate dialog box. (See Figure 6-14.)

Step 3 New Password—The case-sensitive password to be stored with the certificate. This password is optional but we recommend that you always protect your certificate with a password.

Step 4 Verify Password—The password that you enter here must match what you entered in the New Password field.

Step 5 To complete the import request, click Import or to cancel your request click Cancel.

Verifying a Certificate

To see whether the certificate is valid, choose it in the certificate store, follow these steps:

Step 2 Display the Certificates menu, and choose Verify or click the Verify icon on the toolbar above the Certificates tab.

The VPN Client displays a message such as the one in Figure 6-15 indicating whether the certificate is still valid.

The following table shows the messages you might see when you check the validity of your certificate

Message	Description
`Certificate is not valid yet`	The current date is prior to the certificate's valid start date. You must wait until the certificate becomes valid.
`Certificate has expired`	The current date is after the certificate's valid end date. You need to enroll for a new certificate.
`Certificate signature is not valid`	You do not have the CA certificate, or the CA certificate that you have may have expired. You might need to download or import the CA certificate.
`Certificate <`name> is valid	You have a working certificate enrolled.

Deleting a Certificate

Step 2 Display the Certificates menu and choose Delete, or click the Delete icon in the toolbar above the Certificates tab.

Step 3 In the Password field, type the password given to the certificate during enrollment and click OK.

Step 4 The VPN Client asks you to confirm that you want to delete this certificate (Figure 6-16). To delete the certificate, click Delete. To cancel the deletion, click Do Not Delete (the default).

Changing the Password on a Personal Certificate

Step 2 Display the Certificates menu and choose Change Certificate Password

The VPN Client displays the Change Certificate Password dialog box. In the Current field, type the password you are currently using to protect your private key.

Step 5 Click OK. The VPN Client confirms that you have successfully changed your password (Figure 6-17).

Exporting a Certificate

You may want to export a certificate, primarily for backing up your certificate and private key or moving them to another system. When you export a certificate, you are making a copy of it.

Step 2 In the Export path field, enter the path for the exported certificate or use the Browse feature to locate a target directory for the exported certificate.

Step 3 To export the CA and/or RA certificate with your personal certificate, check the Export entire certificate chain check box.

Step 4 In the Password field, enter an optional password to protect the export file. Then enter it again in the Verify Password field.

The VPN Client displays a message indicating whether your certificate export was successful.

Showing CA/RA Certificates

You can view, but not modify, the current list of CA and RA certificates by selecting Show CA/RA Certificates from the Certificates menu. The VPN Client displays the list in a new window (Figure 6-19).

Managing Enrollment Requests

While a request is pending approval by the CA administration, the VPN Client places the enrollment request in the list under the Certificates tab. You can view, delete, or change the password on any request in the list; or you can retry a network enrollment request. To perform any of these actions, click the Certificates tab and select the action on the Certificates menu. (See Figure 6-20.)

Viewing the Enrollment Request

To display the enrollment request, select the request, display the Certificates menu and choose View from the Certificates menu. The VPN Client displays the pending request. (See Figure 6-21.)

Note that the Issuer field shows the subject name and not the name of the CA, since the CA has not yet issued the certificate.

Deleting an Enrollment Request

Step 2 Type the password in the Password field (if there is one) and click OK.

The VPN Client verifies the password. If the password is correct, the VPN Client deletes the request.

Changing the Password on an Enrollment Request

To change the certificate password on an enrollment request, use this procedure:

Step 2 Display the Certificates menu and choose Change Certificate Password.

Step 5 At the next prompt, type your new password again to verify it and click OK.

Completing an Enrollment Request

Choose Retry from the Certificates menu.
Right-click the selected certificate on the Certificates tab and choose Retry from the menu that appears (Figure 6-24).

Table of Contents