cc/td/doc/product/vpn/vpn3002/4_7
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Administration

Administration

Administration | Software Update

Current Software Revision

Browse...

Upload/Cancel

Software Update Progress

Software Update Success

Software Update Error

Administration | System Reboot

Action

Configuration

When to Reboot/Shutdown

Apply/Cancel

Administration | Ping

Address/Hostname to Ping

Ping/Cancel

Success (Ping)

Error (Ping)

Administration | Traceroute

Address/Hostname

Max TTL

Reverse Resolve

Use UDP

Port

Apply/Cancel

Administration | Access Rights

Administration | Access Rights | Administrators

Administrator

Password

Verify

Enabled

Apply/Cancel

Administration | Access Rights | Access Settings

Session Idle Timeout

Session Limit

Config File Encryption

Apply/Cancel

Administration | File Management

View (Save)

Delete

Swap Config Files

Config File Upload via HTTP

Administration | File Management | Swap Config Files

OK/Cancel

Administration | File Management | Config File Upload

Local Config File/Browse...

Upload/Cancel

File Upload Progress

File Upload Success

File Upload Error

Certificate Management

The Role of Time

Configuring Digital Certificates: SCEP and Manual Methods

Tasks Summary

Managing Certificates with SCEP

Obtaining and Installing CA Certificates Automatically Using SCEP

Enrolling and Installing Identity Certificates Automatically Using SCEP

Enrolling and Installing Certificates Manually

Obtaining and Installing CA Certificates Manually

Creating an Enrollment Request for an Identity Certificate Manually

Requesting an Identity Certificate from a CA Manually

Installing the Identity Certificate on the VPN 3002 Manually

Obtaining SSL Certificates

Enabling Digital Certificates on the VPN 3002

Deleting Digital Certificates

Administration | Certificate Management

Certificate Authorities Table

Identity Certificates Table

SSL Certificate Table

SSH Host Key Table

Enrollment Status Table

Administration | Certificate Management | Enroll

Identity Certificate

SSL Certificate

Administration | Certificate Management | Enroll | Certificate Type

Enroll via PKCS10 Request (Manual)

Enroll via SCEP at [Name of SCEP CA]

Install a New SA Using SCEP before Enrolling

<< Go back and choose a different type of certificate

Administration | Certificate Management | Enroll | Certificate Type | PKCS10

Fields

Enroll / Cancel

Administration | Certificate Management | Enrollment or Renewal | Request Generated

Go to Certificate Management

Go to Certificate Enrollment

Go to Certificate Installation

Administration | Certificate Management | Enroll | Identity Certificate | SCEP

Fields

Enroll / Cancel

Administration | Certificate Management | Enroll | SSL Certificate | SCEP

Fields

Enroll

Cancel

Administration | Certificate Management | Install

Install CA Certificate

Install SSL Certificate with Private Key

Install Certificate Obtained via Enrollment

Administration | Certificate Management | Install | Certificate Obtained via Enrollment

Enrollment Status Table

<< Go back and choose a different type of certificate

Administration | Certificate Management | Install | Certificate Type

SCEP (Simple Certificate Enrollment Protocol)

Cut & Paste Text

Upload File from Workstation

<< Go back and choose a different type of certificate

Administration | Certificate Management | Install | CA Certificate | SCEP

URL

CA Descriptor

Retrieve / Cancel

Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text

Certificate Text

Password

Interface

Install / Cancel

Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation

Filename / Browse

Password

Interface

Install / Cancel

Administration | Certificate Management | View

Certificate Fields

Back

Administration | Certificate Management | Configure CA Certificate

Certificate

SCEP Configuration

Apply / Cancel

Administration | Certificate Management | Renewal

Certificate

Renewal Type

Enrollment Method

Challenge Password

Verify Challenge Password

Renew / Cancel

Administration | Certificate Management | Activate or Re-Submit | Status

Status

Go to Certificate Management

Go to Certificate Enrollment

Go to Certificate Installation

Administration | Certificate Management | Delete

Fields

Yes / No

Administration | Certificate Managment | Generate SSL Certificate

Choose the RSA Keysize

Generate/Cancel

Administration | Certificate Management | Export SSL Certificate

Enter Password

Verify Password

Export/Cancel

Administration | Certificate Management | Generate SSH Host Key

Choose the RSA Keysize

Generate/Cancel

Administration | Certificate Management | View Enrollment Request

Enrollment Request Fields

Back

Administration | Certificate Management | Cancel Enrollment Request

Fields

Yes / No

Administration | Certificate Management | Delete Enrollment Request

Fields

Yes / No


Administration


Administering the VPN 3002 involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it.

Administration

This section of the Manager lets you control administrative functions on the VPN 3002.

Software Update: upload and update the VPN 3002 software image.

System Reboot: set options for VPN 3002 shutdown and reboot.

Ping: use ICMP ping to determine connectivity.

Access Rights: configure administrator profiles, access, and sessions.

Administrators: configure administrator usernames, passwords, and rights.

Access Settings: set administrative session idle timeout and limits.

Config File Management: manage configuration files.

View Configuration Files: view the configuration file currently on the VPN 3002.

Swap Configuration Files: swap backup and boot configuration files.

Upload Configuration Files: upload a new configuration file to the VPN 3002.

Certificate Management: install and manage digital certificates.

Enrollment: create a certificate request to send to a Certificate Authority.

Installation: install digital certificates.

Certificates: view, modify, and delete digital certificates.

Figure 12-1 Administration Screen

Administration | Software Update

This section of the Manager lets you update the VPN 3002 executable system software. This process uploads the file to the VPN 3002, which then verifies the integrity of the file.

The new image file must be accessible by the workstation you are using to manage the VPN 3002. Software image files ship on the Cisco VPN 3002 CD-ROM. Updated or patched versions are available from the Cisco Website, www.cisco.com, under Service & Support > Software Center.

It takes a few minutes to upload and verify the software, and the system displays the progress. Please wait for the operation to finish.

To run the new software image, you must reboot the VPN 3002. The system prompts you to reboot when the update is finished.

We also recommend that you clear your browser cache after you update the software image: delete all the temporary internet files, history files, and location bar references.


Note The VPN 3002 has two locations for storing image files: the active location, which stores the image currently running on the system; and the backup location. Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot. Updating twice, therefore, overwrites the image file in the active location; and the current image file is lost. The Manager displays a warning on this screen if you have already updated the image without rebooting.



Caution You can update the software image while the system is still operating as a VPN device. Rebooting the system, however, terminates all active sessions.


Caution While the system is updating the image, do not perform any other operations that affect Flash memory (listing, viewing, copying, deleting, or writing files.) Doing so might corrupt memory.

Updating the software image also makes available any new Cisco-supplied configurable selections. When you reboot with the new image, the system updates the active configuration in memory with these new selections, but it does not write them to the CONFIG file until you click the Save Needed icon in the Manager window.

Figure 12-2 Administration | Software Update Screen

Current Software Revision

The name, version number, and date of the software image currently running on the system.

Browse...

Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3002 software image files are named:

vpn3002 <Major Version> .<Minor Version>.<Patch Version>.bin; for example, vpn3002-3.5.Rel-k9.bin.

The Major and Minor Version numbers are always present; the Sustaining and Patch Version numbers are present only if needed.

Be sure you select the correct file for your VPN 3002; otherwise the update will fail.

Upload/Cancel

To upload the new image file to the VPN3002, click Upload.

To cancel your entries on this screen, or to stop a file upload that is in progress, click Cancel. The Manager returns to the main Administration screen. If you then return to the Administration | Software Update screen, you might see a message that a file upload is in progress. Click the highlighted link to stop it and clear the message.

Software Update Progress

This window shows the progress of the software upload. It refreshes the number of bytes transferred at 10-second intervals.

Figure 12-3 Administration | Software Update Progress Window

When the upload is finished, or if the upload is cancelled, the progress window closes.

Software Update Success

The Manager displays this screen when it completes the software upload and verifies the integrity of the software. To go to the Administration | System Reboot screen, click the highlighted link.

We strongly recommend that you clear your browser cache after you update the software image: delete all the temporary internet files, history files, and location bar references.

Figure 12-4 Administration | Software Update Success Screen

Software Update Error

This screen appears if there was an error in uploading or verifying the image file. You might have selected the wrong file. Click the highlighted link to return to the Administration | Software Update screen and try the update again, or contact Cisco support.

Figure 12-5 Administration | Software Update Error Screen

Administration | System Reboot

This screen lets you reboot or shutdown (halt) the VPN 3002 with various options.

We strongly recommend that you shut down the VPN 3002 before you turn power off. If you just turn power off without shutting down, you might corrupt Flash memory and affect subsequent operation of the system.

If you are logged in the Manager when the system reboots or halts, it automatically logs you out and displays the main login screen. The browser might appear to hang during a reboot; that is, you cannot log in and you must wait for the reboot to finish. You can log back in while the VPN 3002 is in a shutdown state, before you turn power off.

If a delayed reboot or shutdown is pending, the Manager also displays a message that describes when the action is scheduled to occur.


Note Reboot or shutdown that does not wait for sessions to terminate, terminates all active sessions without warning and prevents new user sessions.


The VPN 3002 automatically saves the current event log file as SAVELOG.TXT when it reboots, and it overwrites any existing file with that name. See Configuration | System | Events | General, Administration | Config File Management, and Monitoring | Filterable Event Log for more information on the event log file.

Figure 12-6 Administration | System Reboot Screen

Action

Click a radio button to select the desired action. You can select only one action.

Reboot = Reboot the VPN 3002. Rebooting terminates all sessions, resets the hardware, loads and verifies the software image, executes system diagnostics, and initializes the system. A reboot takes about 60-75 seconds. (This is the default selection.)

Shutdown without automatic reboot = Shut down the VPN 3002; that is, bring the system to a halt so you can turn off the power. Shutdown terminates all sessions and prevents new user sessions (but not administrator sessions). While the system is in a shutdown state, the SYS LEDs blink on the front panel.

Cancel a scheduled reboot/shutdown = Cancel a reboot or shutdown that is waiting for a certain time or for sessions to terminate. (This is the default selection if a reboot or shutdown is pending.)

Configuration

Click a radio button to select the configuration file handling at reboot. These selections apply to reboot only. You can select only one option.

Save the active configuration at time of reboot = Save the active configuration to the CONFIG file, and reboot using that new file.

Reboot without saving the active configuration = Reboot using the existing CONFIG file and without saving the active configuration. (This is the default selection.)

Reboot ignoring the Configuration file = Reboot using all the factory defaults; that is, start the system as if it had no CONFIG file. You will need to go through all the Quick Configuration steps described in the VPN 3002 Getting Started manual, including setting the system date and time and supplying an IP address for the Ethernet 1 (private) interface, using the system console. This option does not destroy any existing CONFIG file, and it does not reset Administrator parameter settings.

When to Reboot/Shutdown

Click a radio button to select when to reboot or shutdown. You can select only one option.

Now = Reboot or shutdown as soon as you click Apply. (This is the default selection.)

Delayed by [NN] minutes = Reboot or shutdown NN minutes from when you click Apply, based on system time. Enter the desired number in the field; the default is 10 minutes. (FYI: 1440 minutes = 24 hours.)

At time [HH:MM] = Reboot or shutdown at the specified system time, based on a 24-hour clock. Enter the desired time in the field. Use 24-hour notation and enter numbers in all positions. The default is 10 minutes after the current system time.

Wait for sessions to terminate (do not allow new sessions) = Reboot or shutdown as soon as the last session terminates, and do not allow any new sessions in the meantime. If you (the administrator) are the last session, you must log out for the system to reboot or shutdown.

Apply/Cancel

To take action with the selected options, click Apply. The Manager returns to the main Administration screen if you do not reboot or shutdown now.

To cancel your settings on this screen, click Cancel. The Manager returns to the main Administration screen. (Note that this Cancel button does not cancel a scheduled reboot or shutdown.)

Administration | Ping

This screen lets you use the ICMP ping (Packet Internet Groper) utility to test network connectivity. Specifically, the VPN 3002 sends an ICMP Echo Request message to a designated host. If the host is reachable, it returns an Echo Reply message, and the Manager displays a Success screen. If the host is not reachable, the Manager displays an Error screen.

You can also Ping hosts from the Administration | Sessions screen.

Figure 12-7 Administration | Ping Screen

Address/Hostname to Ping

Enter the IP address or hostname of the system you want to test. (If you configured a DNS server, you can enter a hostname; otherwise, enter an IP address.) Maximum is 64 characters.

Ping/Cancel

To send the ping message, click Ping. The Manager pauses during the test, which might take a few moments; please wait for the operation to finish. The Manager then displays either a Success or Error screen; see below.

To cancel your entry on this screen, click Cancel. The Manager returns to the main Administration screen.

Success (Ping)

If the system is reachable, the Manager displays a Success screen with the name of the tested host, as well as the amount of time, in milliseconds, between when the VPN 3002 sent the ping message, and when it received a response.

Figure 12-8 Administration | Ping | Success Screen

Continue

To return to the Administration | Ping screen, click Continue.

Error (Ping)

If the system is unreachable for any reason, host down, ICMP not running on host, route not configured, intermediate router down, network down or congested, etc., the Manager displays an Error screen with the name of the tested host. To troubleshoot the connection, try to Ping other hosts that you know are working.

Figure 12-9 Administration | Ping | Error Screen

To return to the Administration | Ping screen, click Retry the operation.

To go to the main Manager screen, click Go to main menu.

Administration | Traceroute


Caution Traceroute requires Sun Microsystems Java™ Runtime Environment (JRE)1.4.1. If you do not have JRE installed, do not attempt to run this feature. Running Traceroute without JRE causes the VPN 3002 Manager to fail.

Traceroute is a helpful tool for troubleshooting connectivity problems. The Traceroute feature lets you trace the path a data packet takes through the Internet between the VPN 3002 and a destination device. The VPN 3002 sends an ICMP or UDP probe to the destination device, then reports the probe's route, the number of hops, and the time between hops.

Figure 12-10 Administration | Traceroute Screen

Address/Hostname

Enter the IP address or hostname of the destination device. If you enter an IP address, use dotted decimal notation (for example, 192. 168.12.34).

Max TTL

Enter the maximum number of hops for probe packets. Traceroute stops after this many hops. Valid entries are 1 to 255 hops. The default is 30 hops.

Reverse Resolve

Check the Reverse Resolve check box to resolve the hostnames of intermediate hops to their IP addresses. The default is checked.

Use UDP

Check the Use UDP check box to send UDP packets rather than ICMP pings, the default.

Port

If you checked Use UDP, enter the UDP destination port number. The default port number is 33434.

Apply/Cancel

To run the Traceroute command with these settings, click Apply.To discard your settings, click Cancel. The Manager returns to the Administration screen.

Administration | Access Rights

This section of the Manager lets you configure and control administrative access to the VPN 3002.

Administrators: configure administrator usernames, passwords, and rights.

Access Settings: set administrative session timeout and limits.

Figure 12-11 Administration | Access Rights Screen

Administration | Access Rights | Administrators

Administrators are special users who can access and change the configuration, administration, and monitoring functions on the VPN 3002. Only administrators can use the VPN 3002 Hardware Client Manager.

This section of the Manager lets you change administrator properties and rights. Any changes take effect as soon as you click Apply.

Figure 12-12 Administration | Access Rights | Administrators Screen

Administrator

The VPN 3002 has three predefined administrators:

admin = System administrator with access to, and rights to change, all areas. This is the only administrator enabled by default; in other words, this is the only administrator who can log in to, and use, the VPN 3002 Hardware Client Manager as supplied by Cisco.

config = Configuration administrator with access rights to Quick Configuration and monitoring management options only.

monitor = Monitor administrator with rights to monitoring management options only.


Note The VPN 3002 saves Administrator parameter settings from this screen in nonvolatile memory, not in the active configuration (CONFIG) file. Thus, these settings are retained even if the system loses power. These settings are also retained even if you reboot the system with the factory configuration file.


Password

Enter or edit the unique password for this administrator. Maximum is 31 characters. The field displays only asterisks.


Note The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password.


Verify

Re-enter the password to verify it. The field displays only asterisks.

Enabled

Check the box to enable, or clear the box to disable, an administrator. Only enabled administrators can log in to, and use, the VPN 3002 Hardware Client Manager. You must enable at least one administrator, and you can enable all administrators. By default, only admin is enabled.

Apply/Cancel

To save this screen settings in nonvolatile memory, click Apply. The settings immediately affect new sessions. The Manager returns to the Administration | Access Rights screen.

To discard your settings or changes, click Cancel. The Manager returns to the Administration | Access Rights screen.

Administration | Access Rights | Access Settings

This screen lets you configure general options for administrator access to the Manager.

Figure 12-13 Administration | Access Rights | Access Settings Screen

Session Idle Timeout

Enter the idle timeout period in seconds for administrative sessions. If there is no activity for the period, the Manager session terminates. Minimum is 1, default is 600, and maximum is 1800 seconds (30 minutes).

The Manager resets the inactivity timer only when you click an action button (Apply, Add, Cancel, etc.) or a link on a screen—that is, when you invoke a different screen. Entering values or setting parameters on a given screen does not reset the timer.

Session Limit

Enter the maximum number of simultaneous administrative sessions allowed. Minimum is 1, default is 10, and maximum is 50 sessions.

Config File Encryption

To encrypt sensitive entries in the CONFIG file, check the box (default). The CONFIG file is in ASCII text format (.INI format). Check this box to encrypt entries such as passwords, keys, and user information.

To use clear text for all CONFIG file entries, clear the box. For maximum security, we do not recommend this option.

Apply/Cancel

To save your settings in the active configuration, click Apply. The Manager returns to the
Administration | Access Rights screen.

To cancel your settings, click Cancel. The Manager returns to the Administration | Access Rights screen.

Administration | File Management

This section of the Manager lets you manage files in VPN 3002 Flash memory. (Flash memory acts like a disk.) These files include CONFIG, CONFIG.BAK, saved log files, memory reports, and copies of any of these files that you have saved under different names.

Figure 12-14 Administration | File Management | View Screen

View (Save)

View Files lets you view configuration and saved log files. You can also save these files to the PC on which you are viewing them.

To view a file, click View next to the type of file you want to see. The Manager opens a new browser window to display the file, and the browser address bar shows the filename.

You can also save a copy of the file on the PC that is running the browser. Click the File menu on the new browser window and select Save As.... The browser opens a dialog box that lets you save the file. The default filename is the same as on the VPN 3002.


Note Be sure to save a configuration file as a .TXT file, not a .HTM file. Some browser versions default to saving the file as an .HTM file, so you may need to change the file type. Saving the file as an .HTM file causes some data to be added to the top of the configuration file that is not valid configuration data. If you subsequently upload the file containing the invalid data to the VPN Concentrator or VPN 3002, it may cause unpredictable results.


Alternatively, you can use the secondary mouse button to click View on this Manager screen. A pop-up menu presents choices whose exact wording depends on your browser, but among them are:

Open Link, Open Link in New Window, Open in New Window = Open and view the file in a new browser window, as above.

Save Target As..., Save Link As... = Save a copy of the file on your PC. Your system will prompt for a filename and location. The default filename is the same as on the VPN 3002.

When you are finished viewing or saving the file, close the new browser window.

Delete

Delete lets you delete configuration files, saved log files, crash dump files, and memory reports. To delete a file, click Delete next to the type of file you want to delete. When you select this option, a pop-up window displays asking you to confirm or cancel. If you confirm, the file is deleted; the Manager refreshes the screen and shows the revised list of files. There is no undo.

Swap Config Files

Swap Config Files lets you swap the boot configuration file with the backup configuration file. When you select this option, the Administration | File Management | Swap Config Files window displays.

Config File Upload via HTTP

Config File Upload allows you to upload a configuration file. When you select this option, the
Administration | File Management | Config File Upload window displays.

Administration | File Management | Swap Config Files

This screen lets you swap the boot configuration file with the backup configuration file. Every time you save the active configuration, the system writes it to the CONFIG file, which is the boot configuration file; and it saves the previous CONFIG file as CONFIG.BAK, the backup configuration file.

To reload the boot configuration file and make it the active configuration, you must reboot the system. When you click OK, the system automatically goes to the Administration | System Reboot screen, where you can reboot the system. You can also click the highlighted link to go to that screen.

Figure 12-15 Administration | File Management | Swap Config Files Screen

OK/Cancel

To swap CONFIG and CONFIG.BAK files, click OK. The Manager goes to the Administration | System Reboot screen.

To leave the files unchanged, click Cancel. The Manager returns to the Administration | File Management | View screen.

Administration | File Management | Config File Upload

This screen lets you use HTTP (Hypertext Transfer Protocol) to transfer a configuration file from your PC, or a system accessible from your PC, to the VPN 3002 Flash memory.

This function provides special handling for configuration (config) files. If the uploaded file has the VPN 3002 filename config, the system deletes any existing config.bak file, renames the existing config file as config.bak, then writes the new config file. However, these actions occur only if the file transfer is successful, so existing files are not corrupted.

To use these functions, you must have Administrator or Configuration Access Rights. See the Administration | Access Rights | Administrators screen.

Figure 12-16 Administration | File Management | Config File Upload Screen

Local Config File/Browse...

Enter the name of the file on your PC. In a Windows environment, enter the complete pathname using MS-DOS syntax; for example, c:\vpn3002\config0077. You can also click the Browse button to open a file navigation window, find the file, and select it.

Upload/Cancel

To upload the file to the VPN 3002, click Upload. The Manager opens the File Upload Progress window.

To cancel your entries on this screen, or to stop a file upload that is in progress, click Cancel. The Manager returns to the Administration | File Management | View screen. Stopping an upload might leave a temporary file in VPN 3002 Flash memory. Such files are named TnnnF.nnn (for example, T003F.002). You can delete them on the Administration | File Management | View Config Files screen.

File Upload Progress

This window shows the progress of the file upload. It refreshes the number of bytes transferred at 10-second intervals.

Figure 12-17 Administration | File Management | File Upload Progress Window

When the upload is finished, or if the upload is cancelled, the progress window closes.

File Upload Success

The Manager displays this screen to confirm that the file upload was successful.

Figure 12-18 Administration | Config File Management | Upload Success Screen

To go to the Administration | Config File Management | View screen and examine files in flash memory, click the highlighted link.

File Upload Error

The Manager displays this screen if there was an error during the file upload and the transfer was not successful. Flash memory might be full, or the file transfer might have been interrupted or cancelled.

Figure 12-19 Administration | Config File Management | Upload Error Screen

Click the link, Click here to see the list of files, to go to the Administration | File Management | View screen and examine space and files in Flash memory.

Click the link, Click here to return to File Upload, to return to the Administration | File Management | File Upload screen.

Certificate Management

Digital certificates are a form of digital identification used for authentication. A digital certificate contains information that identifies a device or user, such as the name, serial number, company, department, or IP address. Certificate Authorities (CAs) issue digital certificates in the context of a Public Key Infrastructure (PKI), which uses public-key/private-key encryption to ensure security. CAs are trusted authorities that "sign" certificates to verify their authenticity, thus guaranteeing the identity of the device or user.

A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called a root certificate; one issued by another CA certificate is called a subordinate certificate. CAs also issue identity certificates, which are the certificates for specific systems or hosts. There can be up to six root or subordinate CA certificates (including supporting RA certificates) but only one identity certificate on a VPN 3002.

The VPN 3002 supports X.509 digital certificates (International Telecommunications Union Recommendation X.509), including SSL (Secure Sockets Layer) certificates that are self-signed or issued in a PKI context.

The VPN 3002 stores digital certificates and private keys in Flash memory. You do not need to click Save Needed to store them, and they are not visible under Administration | File Management. All stored private keys are encrypted.

The VPN 3002 can have only one SSL certificate installed per interface. If you generate a self-signed SSL certificate, it replaces any installed PKI-context SSL certificate; and vice-versa.

For information on using SSL certificates, see the "Installing the SSL Certificate in your Browser" section in Chapter 1 of the VPN 3002 Hardware Client Reference Volume. See also Configuration | System | Management Protocols | HTTP/HTTPS and Telnet, and Configuration | System | Management Protocols | SSL.

The Role of Time

Digital certificates are time-sensitive in the following ways:

Digital certificates indicate the time frame during which they are valid. Therefore, it is essential that the time on the VPN Concentrator is correct and synchronized with network time.

You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.

Configuring Digital Certificates: SCEP and Manual Methods

To use digital certificates for authentication, you first enroll with a Certificate Authority (CA), and obtain and install a CA certificate on the VPN 3002. Then you enroll and install an identity certificate from the same CA.

You can enroll and install digital certificates on the VPN 3002 in either of two ways:

Using Cisco's Simple Certificate Enrollment Protocol (SCEP).

SCEP is a secure messaging protocol that requires minimal user intervention. SCEP is the quicker method, and it lets you to enroll and install certificates using only the VPN 3002 Manager. To use SCEP, you must enroll with a CA that supports SCEP, and you must enroll via the Internet.

Manually, exchanging information with the CA directly.

The manual method involves more steps. You can do some of the steps using the Manager. Other steps require that you exchange information with the CA directly. You deliver your enrollment request and receive the certificate from the CA via the Internet, email, or a floppy disk.


Note If you install a CA certificate using the manual method, you must also use the manual method to request identity or SSL certificates from that CA. Conversely, to request identity and SSL certificates using SCEP, you must first use SCEP to obtain the CA certificate.


Tasks Summary

Whether you use SCEP or the manual method, you perform the following tasks to obtain and install certificates:

1. Obtain and install one or more CA certificate(s).

2. Create an enrollment request for an identity certificate.

3. Request an identity certificate from the same CA that issued the CA certificate(s).

4. Install the identity certificate on the VPN 3002.

5. Enable certificates.

About the Documentation

The print version of this guide provides step-by-step examples of configuring digital certificates using SCEP and manually, beginning with the next section, " Managing Certificates with SCEP."

The online Help and the print version both provide detailed information on the parameters for each of the Manager screens that you use to configure digital certificates.

Managing Certificates with SCEP

The following sections provide step-by-step instructions for using SCEP to enroll and install digital certificates.

Obtaining and Installing CA Certificates Automatically Using SCEP

To use SCEP to enroll for identity or SSL certificates, you must also use SCEP to obtain the associated CA certificate. The Manager does not let you enroll for a certificate from a CA unless that CA certificate was installed using SCEP. A certificate that is obtained via SCEP and therefore capable of issuing other SCEP certificates, is called SCEP-enabled.


Tip To obtain CA certificates using SCEP, you need to know the URL of your CA. Find out your CA's SCEP URL before beginning the following steps.



Step 1 Using the VPN 3002 Manager, display the Administration | Certificate Management screen. (See Figure 12-20.)

Figure 12-20 Administration | Certificate Management Screen

Step 2 Click Click here to install a CA certificate.


Note The Click here to install a CA certificate option is available from this window only when no CA certificates are installed on the VPN 3002. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. Then click Install CA Certificate.


The Manager displays the Administration | Certificate Management | Install | CA Certificate screen. (See Figure 12-21.)

Figure 12-21 Administration | Certificate Management | Install | CA Certificate

Step 3 Click SCEP (Simple Certificate Enrollment Protocol). The Manager displays the Administration | Certificate Management | Install | CA Certificate | SCEP screen. (See Figure 12-22.)

Figure 12-22 The Administration | Certificate Management | Install | CA Certificate | SCEP Screen

Step 4 Fill in the fields and click Retrieve.

URL: Enter the URL of the CA's SCEP interface.

CA Descriptor: Some CAs use descriptors to further identify the certificate. If your CA gave you a descriptor, enter it here. Otherwise enter a descriptor of your own. You must enter something in this field.

Retrieve / Cancel:

To retrieve a CA certificate from the CA and install it on the VPN 3002, click Retrieve.

To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 12-20.)

The Manager installs the CA certificate on the VPN 3002 and displays the Administration | Certificate Management screen. Your new CA certificate appears in the Certificate Authorities table.



Note If you have trouble enrolling or installing digital certificates via SCEP, enable both the CLIENT and CERT event classes to assist in troubleshooting.


Enrolling and Installing Identity Certificates Automatically Using SCEP

Follow these steps for each identity certificate you want to obtain:


Step 1 Display the Administration | Certificate Management screen. (See Figure 12-20.)

Step 2 Click Click here to enroll with a Certificate Authority. The Manager displays the Administration | Certificate Management | Enroll screen. ( Figure 12-23.)

Figure 12-23 Administration | Certificate Management | Enroll Screen

Step 3 Click Identity Certificate. The Manager displays the Administration | Certificate Management | Enroll | Identity Certificate screen. (See Figure 12-24.)

Figure 12-24 Administration | Certificate Management | Enroll | Identity Certificate Screen

Notice that a link appears corresponding to each SCEP-enabled CA certificate on the VPN 3002. The title of the link depends on the name of the CA certificate: Enroll via SCEP at Certificate Name. For example, if you have a CA certificate on your VPN 3002 named "TestCA6-8," the following link appears: Enroll via SCEP at TestCA6-8.

If you do not see any Enroll via SCEP options, there are no SCEP-enabled CA certificates on the VPN 3002. Follow the steps in the "Obtaining and Installing CA Certificates Automatically Using SCEP" section to obtain a CA certificate via SCEP before you proceed.

Step 4 Click Enroll via SCEP at Certificate Name. The Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen displays. (See Figure 12-25.)

Figure 12-25 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Screen

Step 5 Fill in the fields and click Enroll. (For information on the fields on this screen, see Table 12-1.) The VPN 3002 sends the certificate request to the CA.

If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request could enter polling mode. In polling mode, the VPN 3002 re-sends the certificate request to the CA a specified number of times at regular intervals until the CA responds or the process times out. (For information on configuring the polling limit and interval, see the Administration | Certificate Management | Configure CA Certificate screen.) The certificate request appears in the Enrollment Status table on the Administration | Certificate Management screen until the CA responds. Once the CA responds and issues the certificate, the VPN 3002 installs it automatically.

If the CA responds immediately, the Manager installs the identity certificate on the VPN 3002 and displays the Administration | Certificate Management | Enrollment | Request Generated screen.
(See Figure 12-26.)

Figure 12-26 Administration | Certificate Management | Enrollment | Request Generated Screen

Click Go to Certificate Management. The Manager displays the Administration | Certificate Management screen. Your new identity certificate appears in the Identity Certificates table.

Enrolling and Installing Certificates Manually

The following sections provide step-by-step instructions for enrolling and installing digital certificates manually.

Obtaining and Installing CA Certificates Manually

Certificate authorities are trusted entities that "sign" certificates to verify their authenticity. A CA certificate is one used to sign other certificates. You obtain CA certificates according to the procedures of individual CAs.


Step 1 You can obtain a CA certificate via email, floppy disk, or over the Internet. Retrieve a CA certificate according to the policies and procedures of your CA, and download it to your management work station.

Step 2 To install the CA certificate, begin at the VPN 3002 Manager Administration | Certificate Management screen. When you begin, there are no entries in the Certificate Authorities, Identity Certificates, SSL Certificates, or Enrollment Status fields.

Figure 12-27 Administration | Certificate Management Screen

Step 3 Click Click here to install a CA certificate. The Administration | Certificate Management | Install screen displays.


Note The Click here to install a CA certificate option is available from this screen only when no CA certificates are installed on the VPN 3002. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. Then click Install CA certificate.


Figure 12-28 Administration | Certificate Management | Install Screen

Step 4 Click Install CA Certificate. The Administration | Certificate Management | Install | CA Certificate screen displays.

Figure 12-29 Administration | Certificate Management | Install | CA Certificate Screen

Step 5 Click Upload File from Workstation or Cut and Paste Text, depending on how you have retrieved the CA certificate. The Manager displays a screen appropriate to your choice.

Step 6 Include certificate information according to your chosen method.

Step 7 Click Install. The Manager installs the CA certificate on the VPN 3002. You return to the Administration | Certificate Management screen, which now displays the newly installed CA certificate.

Creating an Enrollment Request for an Identity Certificate Manually

An enrollment request for an identity certificate consists of a base 64 encoded PKCS#10 file that the VPN 3002 generates based on information you provide in the steps that follow.


Step 1 In the Administration | Certificate Management screen ( Figure 12-20), click Click here to enroll with a Certificate Authority. The Administration | Certificate Management | Enroll screen displays.

Figure 12-30 Administration | Certificate Management | Enroll Screen

Step 2 Click Identity certificate. The Administration | Certificate Management | Enroll |
Identity Certificate screen displays.

Figure 12-31 Administration | Certificate Management | Enroll | Identity Certificate Screen

Step 3 Click Enroll via PKCS10 Request (Manual). The Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen displays.

Figure 12-32 Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen

Step 4 Enter values in each of the fields on this screen. Table 12-1 defines these fields.

Step 5 When you have finished, click Enroll.

The Administration | Certificate Management | Enroll | Request Generated screen displays ( Figure 12-33).

Figure 12-33 Administration | Certificate Management | Enroll | Request Generated Screen

The Manager displays this screen when the system has successfully generated a certificate request.


Note You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.


As the screen text indicates, within a few seconds, a browser window opens with the certificate request.

Figure 12-34 Example of a Certificate Request

You have generated a base 64 encoded PKCS#10 file (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in Flash memory with the filename shown in the browser (pkcsNNNN.txt).

In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN 3002 in encrypted form.

Step 6 Save the request in one of the following ways:

Save the request to a file (to transmit the file to the CA via email or floppy disk).

Select and copy the request to the clipboard, and then paste the request into an email to the CA.

Copy and paste the request into the CA's management interface via the Internet.

Some CAs let you paste the request in a web interface, some ask you to send a file; use the method your CA requires.

Step 7 Close this browser window when you have finished.


Requesting an Identity Certificate from a CA Manually

Next you submit the identity request to a CA. This must be the same CA that issued the CA certificate for this connection. Submit the request and retrieve an identity certificate according to the procedures of your CA.

Installing the Identity Certificate on the VPN 3002 Manually

The following steps provide instructions on installing an Identity certificate on the VPN 3002.


Step 1 From the Administration | Certificate Management screen, click Click here to install a certificate to navigate to the Administration | Certificate Management | Install screen.

Figure 12-35 Administration | Certificate Management | Install Screen

Step 2 Click Install certificate obtained via enrollment. The Administration | Certificate Management | Install certificate obtained via enrollment screen displays.

Figure 12-36 Administration | Certificate Management | Install certificate obtained via enrollment Screen

Step 3 In the Actions column of the Enrollment Status table, click Install. The Administration | Certificate Management | Install Identity Certificate screen displays.

Figure 12-37 Administration | Certificate Management | Install Identity Certificate Screen

Step 4 Choose either installation method: Cut & Paste Text or Upload File from Workstation.

Step 5 The Manager displays a screen appropriate to your choice. Include the certificate information according to your chosen method. Click Install. The Manager installs the identity certificate on the VPN 3002 and displays the Administration | Certificate Management screen. Your new identity Certificate appears in the Identity Certificates table.

Step 6 Confirm that the Issuer fields for Certificate Authorities and Identity Certificates match for this connection. You must get the Identity certificate and the CA certificate from the same CA.


Obtaining SSL Certificates

If you use a secure connection between your browser and the VPN 3002, the VPN 3002 requires an SSL certificate. You only need one SSL certificate on your VPN 3002.

When you initially boot the VPN 3002, a self-signed SSL certificate is automatically generated. Because a self-signed certificate is self-generated, this certificate is not verifiable. No CA has guaranteed its identity. But this certificate allows you to make initial contact with the VPN 3002 using the browser. If you want to replace it with another self-signed SSL certificate, follow these steps:


Step 1 Display the Administration | Certificate Management screen. (See Figure 12-20.)

Step 2 Click Generate above the SSL Certificate table. The new certificate appears in the SSL Certificate table, replacing the existing one.


If you want to obtain a verifiable SSL certificate (that is, one issued by a CA), follow the same procedure you used to obtain identity certificates. (See the " Enrolling and Installing Identity Certificates Automatically Using SCEP" section.) But this time, on the Administration | Certificate Management | Enroll screen, click SSL certificate (instead of Identity certificate).

Some web servers export their SSL certificates with the private key attached. If you have a PEM-encoded certificate with a corresponding private key that you want to install, follow the same procedure you used to obtain identity certificates. (See the " Enrolling and Installing Identity Certificates Automatically Using SCEP" section.) But this time, on the Administration | Certificate Management | Installation screen, click Install SSL certificate with private key (instead of Install certificate obtained via enrollment).

Enabling Digital Certificates on the VPN 3002


Note Before you enable digital certificates on the VPN 3002, you must obtain at least one CA and one identity certificate. If you do not have a CA and an identity certificate installed on your VPN 3002, follow the steps in the previous section before beginning this section.


For the VPN 3002 to use the digital certificates you obtained, you must enable authentication using digital certificates.


Step 1 Display the Configuration | System | Tunneling Protocols | IPSec screen.

Figure 12-38 Configuration | System | Tunneling Protocols | IPSec Screen

Step 2 Check the Use Certificate check box.

Step 3 Select a Certificate Transmission option. If you want the VPN 3002 to send the peer the identity certificate and all issuing certificates (including the root certificate and any subordinate CA certificates), click Entire certificate chain. If you want to send the peer only the identity certificate, click Identity certificate only.

Step 4 Click Apply. The Manager returns to the Configuration | System | Tunneling Protocols screen.

Step 5 Click the Save Needed icon.


Deleting Digital Certificates

Delete digital certificates in the following order:

1. Identity or SSL certificates

2. Subordinate certificates

3. Root certificates


Note You cannot delete a certificate if it is in use by an SA, if it is the issuer of another installed certificate, or if it is referenced in an active certificate request.


Follow these steps to delete certificates:


Step 1 Display the Administration | Certificate Management screen. (See Figure 12-20.)

Step 2 Find the certificate you want to delete and click Delete. The Administration | Certificate Management | Delete screen appears.

Figure 12-39 Administration | Certificate Management | Delete Screen

Step 3 Click Yes. The Manager returns to the Administration | Certificate Management window.

Administration | Certificate Management

This section of the Manager shows outstanding enrollment requests and all the certificates installed on the VPN 3002, and it lets you manage them.

The links at the top of this screen guide you step-by-step through the process of enrolling and installing certificates. For more information on the certificate management process, see the "Enrolling and Installing Digital Certificates" section.

To install a CA certificate (via SCEP or manually), click on Click Here to Install a CA Certificate.


Note The Click here to install a CA certificate option is only available from this window when no CA certificates are installed on the VPN 3002. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install. Then click Install CA Certificate.


To create an SSL or identity certificate enrollment request, click on Click Here to Enroll with a Certificate Authority.

To install the certificate obtained via enrollment, click on Click Here to Install a Certificate.

The VPN 3002 notifies you (by issuing a severity 3 CERT class event) if any of the installed certificates are within one month of expiration.

The Manager displays this screen each time you install a digital certificate.

Figure 12-40 Administration | Certificate Management Screen

Certificate Authorities Table

This table shows root and subordinate CA certificates installed on the VPN 3002.

Current

The actual number of CA certificates installed on this VPN 3002.

Maximum

The maximum possible number of CA certificates allowed on this VPN 3002.

Fields

These fields appear in the Certificate Authorities table:

Field
Content

Subject/Issuer

The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See Administration | Certificate Management | Certificates | View.

Expiration

The expiration date of the certificate. The date format is MM/DD/YYYY.

SCEP Issuer

In order for a certificate to be available for SCEP enrollment, it must be installed via SCEP. This field indicates if the certificate is SCEP-enabled.

Yes = This certificate can issue identity and SSL certificates via SCEP.

No = This certificate cannot issue certificates via SCEP.


Note If you want to use a certificate for SCEP enrollment, but that certificate is not SCEP-enabled, reinstall it using SCEP.


Actions

This column allows you to manage particular certificates. The actions available vary with type and status of the certificate.

View = View details of this certificate.

Delete = Delete this certificate from the VPN 3002.


Identity Certificates Table

This table shows installed server identity certificates.

Fields

These fields appear in the Identity Certificates table:

Field
Content

Subject/Issuer

The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See Administration | Certificate Management | Certificates | View.

Expiration

The expiration date of the certificate. The date format is MM/DD/YYYY.

Actions

This column allows you to manage particular certificates. The actions available vary with type and status of the certificate.

View = View details of this certificate.

Delete = Delete this certificate from the VPN 3002.

Renew = Generate a new enrollment request based on the content of this certificate.


SSL Certificate Table

This table shows the SSL server certificate installed on the VPN 3002. The system can have only one SSL server certificate installed per (public or private) interface: either a self-signed certificate or one issued in a PKI context.

Fields

These fields appear in the SSL Certificates table:

Field
Content

Interface

The interface on which this SSL certificate is installed.

Subject/Issuer

The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See Administration | Certificate Management | Certificates | View.

Expiration

The expiration date of the certificate. The date format is MM/DD/YYYY.

Actions

This column allows you to manage particular certificates. The actions available vary with type and status of the certificate.

View = View details of this certificate.

Renew = Generate a new enrollment request based on the content of this certificate.

Delete = Delete this certificate from the VPN 3002.

Export = Copy this certificate to another interface on this VPN 3002 or to another VPN 3002.

Generate = Generate a new SSL certificate, with a new key.

Enroll = Enroll this certificate with a CA.

Import = Copy a certificate to this interface from another interface on this VPN 3002 or from another VPN 3002.


SSH Host Key Table

Fields

These fields appear in the SSH Host Key table:

Field
Content

Key Size

This size (in bits) of the SSH host key.

Key Type

The type of encryption of the SSH host key. (Only RSA is currently supported.)

Date Generated

The generation date of the certificate.

Actions

Generate = Generate a new SSH host key.


Enrollment Status Table

This table tracks the status of active enrollment requests.

The VPN 3002 supports one (installed) identity certificate and one (outstanding) enrollment request. If you currently have an identity certificate on your VPN 3002 and you want to change it, you can request a second certificate, but the VPN 3002 does not install this certificate immediately. The new certificate appears in the Enrollment Status table; you must activate it manually.

The VPN 3002 automatically deletes entries that have the status "Timedout," "Failed," "Cancelled," or "Error" and are older than one week.

[Remove All:]

Click a Remove All option to delete all enrollment requests of a particular status.

Errored = Delete all enrollment requests with the status "Error."

Timed-out = Delete all enrollment requests with the status "Timed-out."

Rejected = Delete all enrollment requests with the status "Rejected."

Cancelled = Delete all enrollment requests with the status "Cancelled."

In Progress = Delete all enrollment requests with the status "In Progress."

Current

The number of enrollment requests currently outstanding.

Available

The number of enrollment requests still available.

Fields

These fields appear in the Enrollment Status table:

Field
Content

Subject/Issuer

The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See Administration | Certificate Management | Certificates | View.

Date

The original date of enrollment.

Use

The type of certificate: identity or SSL.

Reason

The type of enrollment: initial, re-enrollment, or re-key.

Method

The method of enrollment: SCEP or manual.

Status

In Progress = The request has been created, but the requested certificate has not yet been installed. This value is used only for PKCS10 (manual) enrollment requests.

Timedout = The SCEP polling cycle has ended after reaching the configured maximum number of retries. This value is used only for enrollment request created using SCEP.

Rejected = The CA refused to issue the certificate. This value is used only for enrollment request created using SCEP.

Cancelled = The certificate request was cancelled while the VPN 3002 was in polling mode.

Error = An error occurred during the enrollment process. Enrollment was stopped.

Actions

This column allows you to manage enrollments requests. The actions available vary with the type and status of the enrollment request.

View = View details of this enrollment request.

Install = Install the enrollment request. This action is available only for PKCS10 (manual) enrollment requests.

Cancel = Cancel a request that is pending. This action is available only for SCEP enrollment requests with "Polling" status.

Re-submit = Re-initiate SCEP communications with the CA or RA using the previously entered request information. This action is available only for SCEP enrollment requests.

Activate = Bring this certificate into service.

Delete = Delete an enrollment request from the VPN 3002.


Administration | Certificate Management | Enroll

Choose whether you are creating an enrollment request for an identity certificate or an SSL certificate.

Figure 12-41 Administration | Certificate Management | Enroll Screen

Identity Certificate

Click Identity Certificate to create a certificate request for an identity certificate. The Manager displays the Administration | Certificate Management | Enroll | Identity Certificate screen.

SSL Certificate

Click SSL Certificate to create a certificate request for an SSL certificate. The Manager displays the Administration | Certificate Management | Enroll | SSL Certificate screen.

Administration | Certificate Management | Enroll | Certificate Type

Choose the method for enrolling the (identity or SSL) certificate.

Figure 12-42 Administration | Certificate Management | Enroll | Identity Certificate Screen

Enroll via PKCS10 Request (Manual)

Click Enroll via PKCS10 Request (Manual) to enroll the certificate manually.

Enroll via SCEP at [Name of SCEP CA]

You can enroll certificates using SCEP only if you installed the CA certificate using SCEP. One Enroll via SCEP at [Name of SCEP CA] link appears on this screen for each CA certificate on the VPN 3002 that was installed using SCEP. To see which CA certificates on your VPN 3002 were installed using SCEP, see the Certificate Authorities table on the Administration | Certificate Management screen. "Yes" in the SCEP Issuer column indicates that the CA certificate was installed using SCEP; "No" indicates it was installed manually.

If no CA certificate on the VPN 3002 was installed using SCEP, then no Enroll via SCEP at [Name of SCEP CA] link appears on this screen. You do not have the option of using SCEP to enroll the certificate.

Click Enroll via SCEP at [Name of SCEP CA] to enroll the certificate automatically using SCEP.

Install a New SA Using SCEP before Enrolling

If you want to install a certificate using SCEP, but no Enroll via SCEP at [Name of SCEP CA] link appears here, click Install a new SA Using SCEP before Enrolling. Install a CA certificate using SCEP, then return to this screen to install the certificate. A SCEP link now appears.

<< Go back and choose a different type of certificate

Click << Go back and choose a different type of certificate to return to the Administration | Certificate Management | Enroll screen. (See Figure 12-41.)

Administration | Certificate Management | Enroll | Certificate Type | PKCS10

To generate an enrollment request for an SSL or identity certificate, you need to provide information about the VPN 3002.

Figure 12-43 Administration | Certificate Management | Enroll | Identity Certificate via PKCS10 Screen

Fields

For an explanation of each of the fields on this screen, see Table 12-1.

Table 12-1 Fields in a Certificate Request

Field Name
Manual
SCEP
Content

Common Name (CN)

Yes

Yes

The primary identity of the entity associated with the certificate, for example, Gateway A. Spaces are allowed. You must enter a name in this field.

Organizational Unit (OU)

Yes

Yes

The name of the department or other organizational unit to which this VPN 3002 belongs, for example: VPNC. Spaces are allowed.


Caution The value you enter in this field must match on both ends of the connection.

Organization (O)

Yes

Yes

The name of the company or organization to which this VPN 3002 belongs, for example: Cisco Systems. Spaces are allowed.

Locality (L)

Yes

Yes

The city or town where this VPN 3002 is located, for example:
Franklin. Spaces are allowed.

State/Province (SP)

Yes

Yes

The state or province where this VPN 3002 is located, for example: Massachusetts. Spell the name out completely; do not abbreviate. Spaces are allowed.

Country (C)

Yes

Yes

The country where this VPN 3002 is located, for example: US. Use two characters, no spaces, and no periods. This two-character code must conform to ISO 3166 country codes.

Subject Alternative Name (Fully Qualified Domain Name) (FQDN)

Yes

Yes

The fully qualified domain name that identifies this VPN 3002 in this PKI, for example: Cisco.com. This field is optional. The alternative name is an additional data field in the certificate that provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections.

Subject Alternative Name (E-mail Address) (E-mail)

Yes

Yes

The e-mail address of the VPN 3002 administrator, for example: gatewaya@cisco.com.

Challenge Password

No

Yes

This field displays if you are requesting a certificate using SCEP.

Use this field according to the policy of your CA:

Your CA might have given you a password. If so, enter it here for authentication.

Your CA might allow you to provide your own password to identify yourself to the CA in the future. If so, create your password here.

Your CA might not require a password. If not, leave this field blank.

Verify Challenge Password

Mp

Yes

Re-enter the password.

Key Size

Yes

Yes

The algorithm for generating the public-key/private-key pair, and the key size. If you are requesting an SSL certificate, or if you are requesting an identity certificate using SCEP, only the RSA options are available.

RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm. This key size provides sufficient security and is the default selection. It is the most common, and requires the least processing.

RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size provides normal security. It requires approximately 2 to 4 times more processing than the 512-bit key.

RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key size provides high security, and it requires approximately 4 to 8 times more processing than the 512-bit key.

RSA 2048 = Generate 2048-bit keys using the RSA algorithm. This key size provides very high security. It requires 8-16 times more processing than the 512-bit key.

Yes

No

DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature Algorithm).

DSA 768 bits = Generate 768-bit keys using the DSA algorithm.

DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm.


Enroll / Cancel

To generate the certificate request, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen (See Figure 12-44.) with the text of your certificate.

To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen.

Administration | Certificate Management | Enrollment or Renewal | Request Generated

The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in Flash memory with the filename shown in the screen (pkcsNNNN.txt). You can select and copy the request to the clipboard, or you can save it as a file on your PC or a network host. Some CAs let you paste the request in a web interface, some ask you to send a file; use the method your CA requires.

In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN 3002, and it is not visible.


Note You must complete the enrollment and certificate installation process within one week of generating the request.


Figure 12-44 Administration | Certificate Management | Enrollment | Request Generated Screen

To go to the Administration | File Management | Files screen, click the highlighted File Management page link. From there you can view, copy, or delete the file in Flash memory.

Go to Certificate Management

If you want to view the certificate request, click Go to Certificate Management. The Manager displays the Administration | Certificate Management screen. (See Figure 12-20.)

Go to Certificate Enrollment

If you want to enroll another certificate, click Go to Certificate Enrollment. The Manager displays the Administration | Certificate Management | Enroll screen.

Go to Certificate Installation

If you want to install the certificate you have just enrolled, click Go to Certificate Installation. The Manager displays the Administration | Certificate Management | Install screen.

Administration | Certificate Management | Enroll | Identity Certificate | SCEP

To generate an enrollment request for an identity certificate, you need to provide information about the VPN 3002.

Figure 12-45 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Screen

Fields

For an explanation of each of the fields on this screen, see Table 12-1.

Enroll / Cancel

To generate the certificate request and install the identity certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. (See Figure 12-44.)

To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 12-20.)

Administration | Certificate Management | Enroll | SSL Certificate | SCEP

To generate an enrollment request for an SSL certificate, you need to provide information about the VPN 3002.

Figure 12-46 Administration | Certificate Management | Enroll | SSL Certificate | SCEP Screen

Fields

For an explanation of each of the fields on this screen, see Table 12-1.

Enroll

To generate the certificate request and install the SSL certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen.

If there is already an active request for an SSL certificate, this error message appears.

To return to the Administration | Certificate Management | Enroll | SSL Certificate | SCEP screen, click Retry the operation.

To return to the Main screen, click Return to main menu.

Cancel

To discard your entries and cancel the request, click Cancel. The Manager displays the Administration | Certificate Management screen.

Administration | Certificate Management | Install

Choose the type of certificate you want to install.

Figure 12-47 Administration | Certificate Management | Install Screen

Install CA Certificate

If you want to install a CA certificate, click Install CA Certificate. The Manager displays the Administration | Certificate Management | Install | CA Certificate screen.

Install SSL Certificate with Private Key

Some web servers export their SSL certificates with the private key attached. If you have a PEM-encoded certificate with a corresponding private key that you want to install, click Install SSL Certificate with Private Key. The Manager displays the Administration | Certificate Management | Install | SSL Certificate with Private Key screen.

Install Certificate Obtained via Enrollment

If you want to install a certificate manually that you have obtained by enrolling a certificate request with a CA, click Install Certificate Obtained via Enrollment. The Manager displays the Administration | Certificate Management | Install Certificate Obtained via Enrollment screen.

Administration | Certificate Management | Install | Certificate Obtained via Enrollment

Once you have enrolled a certificate, you can install it. This screen allows you to install an enrolled certificate.

Figure 12-48 Administration | Certificate Management | Install | Certificate Obtained via Enrollment Screen

Enrollment Status Table

For a description of the fields in this table, see the "Enrollment Status Table" section.

<< Go back and choose a different type of certificate

If you do not want to install a certificate that you have obtained via filing an enrollment request with your CA, click << Go back and choose a different type of certificate. The Manager returns to the Administration | Certificate Management | Install screen.

Administration | Certificate Management | Install | Certificate Type

Choose the method you want to use to install the certificate.

Figure 12-49 Administration | Certificate Management | Install | CA Certificate

SCEP (Simple Certificate Enrollment Protocol)


Note This option is available only for CA certificates.


If you want to install the CA certificate automatically using SCEP, click SCEP (Simple Certificate Enrollment Protocol). The Manager displays the Administration | Certificate Management | Install | CA Certificate | SCEP screen. (See Figure 12-50.)

Cut & Paste Text

If you want to cut and paste the certificate using a browser window, click Cut & Paste Text. The Manager displays the Administration | Certificate Management | Install | Certificate Type | Cut & Paste Text screen. (See Figure 12-51.)

Upload File from Workstation

If your CA certificate is stored in a file, click Upload File from Workstation. The Manager displays the Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation screen. (See Figure 12-54.)

<< Go back and choose a different type of certificate

If you do not want to install a CA certificate, click << Go back and choose a different type of certificate to display the Administration | Certificate Management | Install screen. (See Figure 12-47.)

Administration | Certificate Management | Install | CA Certificate | SCEP

In this screen, provide information about the certificate authority in order to retrieve and install a CA certificate automatically using SCEP.

Figure 12-50 Administration | Certificate Management | Install | CA Certificate | SCEP Screen

URL

Enter the URL of the SCEP interface of the CA.

CA Descriptor

Some CAs use descriptors to further identify the certificate. If your CA gave you a descriptor, enter it here. Otherwise enter a descriptor of your own. You must enter something in this field.

Retrieve / Cancel

To retrieve a CA certificate from the CA and install it on the VPN 3002, click Retrieve.

To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 12-20.)

Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text

To install the certificate using the manual method, cut and paste the certificate text into the Certificate Text window.

Figure 12-51 Administration | Certificate Management | Install | CA Certificate | Cut and Paste Text Screen

Figure 12-52 Administration | Certificate Management | Install | SSL Certificate | Cut and Paste Text Screen

Figure 12-53 Administration | Certificate Management | Install | SSL Certificate with Private Key| Cut and Paste Text Screen

Certificate Text

Paste the PEM or base-64 encoded certificate text from the clipboard into this window.

If you are installing an SSL certificate with a private key, include the encrypted private key.

Password


Note This field appears only if you are installing an SSL certificate with a private key.


Enter a password for decrypting the private key. Use the same password you used to encrypt the private key when you exported it. (See Administration | Certificate Management | Export SSL Certificate.)

Interface


Note This field appears only if you are installing an SSL certificate.


Choose the interface on which to install the certificate.

Install / Cancel

To install the certificate on the VPN 3002, click Install.

To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 12-20.)

Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation

If you want to install a certificate stored on your PC, use this screen to upload the certificate file to the VPN 3002.

Figure 12-54 Administration | Certificate Management | Install | CA Certificate | Upload File from Workstation Screen

Figure 12-55 Administration | Certificate Management | Install | SSL Certificate | Upload File from Workstation Screen

Figure 12-56 Administration | Certificate Management | Install | SSL Certificate with Private Key | Upload File from Workstation Screen

Filename / Browse

Enter the name of the certificate file that is on your PC. In a Windows environment, enter the complete pathname using MS-DOS syntax, for example: c:\Temp\certnew.cer. You can also click the Browse button to open a file navigation window, find the file, and select it.

Password


Note This field appears only if you are installing an SSL certificate with a private key.


Enter a password for decrypting the private key. Use the same password you used to encrypt the private key when you exported it. (See Administration | Certificate Management | Export SSL Certificate.)

Interface


Note This field appears only if you are installing an SSL certificate.


Choose the interface on which to install the certificate.

Install / Cancel

To install the certificate on the VPN 3002, click Install.

To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 12-20.)

Administration | Certificate Management | View

The Manager displays this screen of certificate details when you click View for a certificate on the Administration | Certificate Management | Certificates screen. The details vary depending on the certificate content.

The content and format for certificate details are governed by ITU (International Telecommunication Union) X.509 standards, specifically RFC 2459. The Subject and Issuer fields conform to ITU X.520.

This screen is read-only; you cannot change any information here.

Figure 12-57 Administration | Certificate Management | View Screen

Certificate Fields

A certificate contains some or all of the following fields:

Field
Content

Subject

The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same.

Issuer

The CA or other entity (jurisdiction) that issued the certificate.

Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen.

CN

Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

For the VPN 3002 self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. SSL compares this CN with the address you use to connect to the VPN 3002 via HTTPS, as part of its validation.

OU

Organizational Unit: the subgroup within the organization (O).

O

Organization: the name of the company, institution, agency, association, or other entity.

L

Locality: the city or town where the organization is located.

SP

State/Province: the state or province where the organization is located.

C

Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Serial Number

The serial number of the certificate. Each certificate issued by a CA must be unique among all certificates issued by that CA. CRL checking uses this serial number.

Signing Algorithm

The cryptographic algorithm that the CA or other issuer used to sign this certificate.

Public Key Type

The algorithm and size of the certified public key.

Certificate Usage

The purpose of the key contained in the certificate, for example: digital signature, certificate signing, nonrepudiation, key or data encipherment, etc.

MD5 Thumbprint

A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate.

If you question a root certificate's authenticity, you can check this value with the issuer.

SHA1 Thumbprint

A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.

Validity

The time period during which this certificate is valid.

Format is MM/DD/YYYY at HH:MM:SS to MM/DD/YYYY at HH:MM:SS. Time uses 24-hour notation, and is local system time.

The Manager checks the validity against the VPN 3002 system clock, and it flags expired certificates in event log entries.

Subject Alternative Name (Fully Qualified Domain Name)

The fully qualified domain name for this VPN 3002 that identifies it in this PKI. The alternative name is an optional additional data field in the certificate, and it provides inter operability with many Cisco IOS and PIX systems in LAN-to-LAN connections.

CRL Distribution Point

The distribution point for CRLs from the issuer of this certificate. If this information is included in the certificate in the proper format, and you enable CRL checking, you do not have to provide it on the Administration | Certificate Management | Configure CA Certificate screen.


Back

To return to the Administration | Certificate Management screen, click Back.

Administration | Certificate Management | Configure CA Certificate

This screen lets you configure this CA certificate to be able to issue identity certificates via SCEP.

Figure 12-58 Administration | Certificate Management | Configure CA Certificate Screen

Certificate

The certificate for which you are configuring SCEP parameters. This is the name in the Subject field of the Certificate Authorities table on the Administration | Certificate Management screen.

SCEP Configuration

Enrollment URL

Enter the URL where the VPN 3002 should send SCEP enrollment requests made to this CA certificate. The default value of this field is the URL used to download this CA certificate.

Polling Interval

If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request could enter polling mode. In polling mode, the VPN 3002 re-sends the certificate request to the CA over a specified period until the CA responds or the process times out.

Enter the number of minutes the VPN 3002 should wait between re-sends. The minimum number of minutes is 1; the maximum number of minutes is 60. The default value is 1.

Polling Limit

Enter the number of times the VPN 3002 should re-send an enrollment request if the CA does not issue the certificate immediately. The minimum number of re-sends is 0; the maximum number is 100. If you do not want any polling limit (in other words you want infinite re-sends), enter none.

Apply / Cancel

To configure CRL checking for this certificate, click Apply. The Manager returns to the Administration | Certificate Management screen.

To discard your settings, click Cancel. The Manager returns to the Administration | Certificate Management screen.

Administration | Certificate Management | Renewal

Certificate renewal is a shortcut that allows you to generate an enrollment request based on the content of an existing certificate.

When you renew a certificate via SCEP, the new certificate does not automatically overwrite the original certificate. It remains in the Enrollment Request table until the administrator manually activates it. For more information on activating certificates, see the "Administration | Certificate Management | Activate or Re-Submit | Status" section.

Use this screen to re-enroll or re-key a certificate. If you re-enroll the certificate, the new certificate uses the same key pair as the expiring certificate. If you re-key the certificate, it uses a new key pair.

Figure 12-59 Administration | Certificate Management | Renewal

Certificate

This field displays the type of certificate that you are re-enrolling or re-keying.

Renewal Type

Specify the type of request:

Re-enrollment = Use the same key pair as the expiring certificate.

Re-key = Use a new key pair.

Enrollment Method

Choose an enrollment method:

PKCS10 Request (Manual) = Enroll using the manual process.

Certificate Name via SCEP = Enroll automatically using this SCEP CA.

Challenge Password

Your CA might have given you a password as a means of verifying your identity. If you have a password from your CA, enter it here.

If you did not receive a password from your CA, choose a password now. You can use this password in the future to identify yourself to your CA.

Verify Challenge Password

Re-type the challenge password you just entered.

Renew / Cancel

To renew the certificate, click Renew.

To discard your settings, click Cancel. The Manager returns to the Administration | Certificate Management screen.

Administration | Certificate Management | Activate or Re-Submit | Status

This status screen appears after you activate or re-submit an enrollment request. It displays the status of the request.

If you are installing an SSL certificate with a private key, include the encrypted private key.

Figure 12-60 Administration | Certificate Management | Re-submit | Status screen

Status

Installed = The CA returned the certificate and it has been added to the certificate store.

Rejected = The CA refused to issue a certificate.

Polling = The CA has pended the approval request; or, CA is unavailable.

Error = There has been an error processing the enrollment request.

Go to Certificate Management

If you want to view the certificate request, click Go to Certificate Management. The Manager displays the Administration | Certificate Management screen.

Go to Certificate Enrollment

If you want to enroll another certificate, click Go to Certificate Enrollment. The Manager displays the Administration | Certificate Management | Enroll screen. (See Figure 12-41.)

Go to Certificate Installation

If you want to install the certificate you have just enrolled, click Go to Certificate Installation. The Manager displays the Administration | Certificate Management | Install screen. (See Figure 12-47.)

Administration | Certificate Management | Delete

The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management screen. The screen shows the same certificate details as on the Administration | Certificate Management | View screen.

Please note:

You must delete CA certificates from the bottom up: server identity first, then subordinate CA, then root CA certificates last. Otherwise, the Manager displays an error message.

If the certificate is in use by an SA or referenced in an active enrollment request, the Manager displays an error message.

Figure 12-61 Administration | Certificate Management | Delete Screen

Fields

For a description of the fields in this certificate, see the "Certificate Fields"section.

Yes / No

To delete this certificate, click Yes.


Note There is no undo.


The Manager returns to the Administration | Certificate Management screen and shows the remaining certificates.

To retain this certificate, click No. The Manager returns to the Administration | Certificate Management screen, and the certificates are unchanged.

Administration | Certificate Managment | Generate SSL Certificate

Figure 12-62 Administration | Certificate Management | Generate SSL Certificate Screen

Choose the RSA Keysize

Choose the RSA key size according what your CA s upports and the level of security you desire. The choices are: 2048-bits, 1024-bits, 768-bits, and 512-bits. The larger the key size, the more secure it is.

Generate/Cancel

Click Generate to generate a new SSL certificate for this interface.

Click Cancel to cancel the operation and return to the Administration | Certificate Management screen.

Administration | Certificate Management | Export SSL Certificate

This screen allows you to copy an SSL certificate from this interface to another or from this VPN 3002 to another.

Figure 12-63 Administration | Certificate Management | Export SSL Certificate Screen

Enter Password

Enter a password for encrypting the private key.

Verify Password

Retype the password to verify it.

Export/Cancel

Click Cancel to cancel the operation and return to the Administration | Certificate Management screen.

Click Export to view the certificate. A new browser window appears, displaying the certificate. (See Figure 12-64.)

Figure 12-64 Sample SSL Certificate Export

You can now copy the certificate text, or save it to a file; then, install the certificate on the appropriate interface or VPN 3002.

Administration | Certificate Management | Generate SSH Host Key

This screen allows you to generate a new SSH Host key. In order to access the VPN 3002 via SSH, the VPN 3002 must have a host key. Only one key is required. The VPN 3002 generates a host key automatically during reboot or upgrade, by taking the public/private key pair from the SSL certificate. If you want a stronger key, or if the original key has been in any way compromised, use this screen to generate a new one.

Figure 12-65 Administration | Certificate Management | Generate SSH Host Key Screen

Choose the RSA Keysize

Choose the RSA key size according what your CA s upports and the level of security you desire. The choices are: 2048-bits, 1024-bits, 768-bits, and 512-bits. The larger the key size, the more secure it is.

Generate/Cancel

Click Generate to create a new SSH Host key.

Click Cancel to cancel the operation and return to the Administration | Certificate Management screen

Administration | Certificate Management | View Enrollment Request

This screen allows you to view the details of an enrollment request.

Figure 12-66 Administration | Certificate Management | View Enrollment Request Screen

Enrollment Request Fields

An enrollment request contains some or all of the following fields:

Field
Content

Subject

The person or system that uses the certificate.

Issuer

The CA or other entity (jurisdiction) from whom the certificate is being requested.

Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen.

CN

Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

For the VPN 3002 self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. SSL compares this CN with the address you use to connect to the VPN 3002 via HTTPS, as part of its validation.

OU

Organizational Unit: the subgroup within the organization (O).

O

Organization: the name of the company, institution, agency, association, or other entity.

L

Locality: the city or town where the organization is located.

SP

State/Province: the state or province where the organization is located.

C

Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Public Key Type

The algorithm and size of the public key that the CA or other issuer used in generating this certificate.

Request Usage

The type of certificate: Identity or SSL.

MD5 Thumbprint

A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.

SHA1 Thumbprint

A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.

Generated

The date the request was initiated.

Enrollment Type

The type of enrollment: initial, re-enroll, or re-key.

Enrollment Method

The method of enrollment: SCEP or manual.

Enrollment Status

The current status of the enrollment: complete, rejected, error, and so on.


Back

Click Back to display the Administration | Certificate Management screen.

Administration | Certificate Management | Cancel Enrollment Request

This screen shows you the details of the enrollment request and allows you to cancel it.

You can cancel only a SCEP enrollment request, and you can do so only when the request is in polling mode. Once a request is cancelled, you can then remove it, re-submit it, or view its details.

Figure 12-67 Administration | Certificate Management | Cancel Enrollment Request Screen

Fields

For a description of the fields in this enrollment request, see the "Enrollment Request Fields" section.

Yes / No

To cancel this enrollment request, click Yes.


Note There is no undo.


The Manager returns to the Administration | Certificate Management screen.

To retain this enrollment request, click No. The Manager returns to the Administration | Certificate Management screen, and the enrollment requests are unchanged.

Administration | Certificate Management | Delete Enrollment Request

This screen shows you details of the enrollment request and allows you to delete it. Deleting an enrollment request removes it from the Enrollment Request table (on the Administration | Certificate Management page) and destroys all record of it.

Figure 12-68 Administration | Certificate Management | Delete Enrollment Request

Fields

For a description of the fields in this enrollment request, see the "Enrollment Request Fields" section.

Yes / No

To delete this enrollment request, click Yes.


Note There is no undo.


The Manager returns to the Administration | Certificate Management screen and shows the remaining enrollment requests.

To retain this enrollment request, click No. The Manager returns to the Administration | Certificate Management screen, and the enrollment requests are unchanged.


hometocprevnextglossaryfeedbacksearchhelp

Posted: Tue Apr 19 13:04:10 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.