Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
81828384858687888990
CHAPTER
9-1
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9
Certificate Management
Administration | Certificate Management
This section of the Manager lets you manage digital certificates:
Enrollment: Create a certificate request to enroll with a Certificate Authority (CA).
Installation: Install certificates on the VPN Concentrator.
Certificates: View, delete, configure revocation checking, and generate certificates.
Digital certificates are a form of digital identification used for authentication. CAs issue them in the
context of a Public Key Infrastructure (PKI), which uses public-key / private-key encryption to ensure
security. CAs are trusted authorities who “sign” certificates to verify their authenticity. The systems on
each end of the VPN tunnel must have trusted certificates from the same CA, or from different CAs in
a hierarchy of trusted relationships, for example:A trusts B, and B trusts C, therefore A trusts
“C.”
CAs issue root certificates (also known as trusted or signing certificates). They may also issue
subordinate trusted certificates. Finally, CAs issue identity certificates, which are the certificates for
specific systems or hosts. There must be at least one identity certificate (and its root certificate) on a
given VPN Concentrator; there may be more than one root certificate. The maximum number of root and
identity certificates allowed depends on the VPN Concentrator model. Model 3005 allows a maximum
or 2 root and 2 identity certificates. The other VPN Concentrator models allow a maximum of 20 root
and 20 identity certificates.
During IKE (IPSec) Phase 1 authentication, the communicating parties exchange certificate and key
information, and they use the public-key / private-key pairs to generate a hash value; if the hash values
match, the client is authenticated.
The VPN Concentrator supports X.509 digital certificates (International Telecommunications Union
Recommendation X.509), including SSL (Secure Sockets Layer) certificates that are self-signed or
issued in a PKI context.
On the VPN Concentrator, digital certificates are stored as encrypted files in a secure area of Flash
memory. They do not require you to click Save Needed
to store them, and they are not visible under
Administration | File Management.
After you install a digital certificate on the VPN Concentrator, it is available in the Digital Certificate
list for configuring IPSec LAN-to-LAN connections and IPSec SAs. See Configuration | System |
Tunneling Protocols | IPSec LAN-to-LAN and Configuration | Policy Management |
Traffic Management | Security Associations.
The VPN Concentrator can have only one SSL certificate installed. If you generate a self-signed SSL
certificate, it replaces any installed PKI-context SSL certificate; and vice-versa.