Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
261262263264265266267268269270
XSR Users Guide 235
Chapter 11 Describing Public-Key Infrastructure (PKI)
Configuring the Virtual Private Network
Machine Certificates for the XSR
Certificates are used by the IKE subsystem to establish SAs for IPSec
tunneling. Key information in the certificates is used to identify other IPSec
clients to the XSR and vice versa. In order to utilize certificates on the XSR you
must manually collect the certificates for one or more CAs (depending on
your configuration) and enroll a certificate for the router. Certificates for CAs
identified as CA certificates and certificates representing an IPSec client are
identified as IPSec client certificates.
The XSR uses the SCEP protocol to retrieve certificates for the XSR and any
CA that may exist in the XSR or peers certificate chain.
Certificate Revocation Lists (CRLs) are used to ensure that both the XSR and
any peer certificate are currently valid. CRLs list all certificates that have been
revoked by CAs before their natural expiration occurs. The XSR must
validated every IPSec certificate it uses against current CRL lists available
from CAs in the IPSec client certificates chain.
The XSR does not allow optional CRL checking mode other systems may
allow. CRLs are collected automatically by the XSR using information
available in the IPSec and CA certificates it has already collected.
Two methods are available to perform this collection:
HTTP Get issues an HTTP-based request to collect the certificate.
LDAP issues URL requests to collect CRLs.
Most CAs can be configured to use either or both of these CRL retrieval
mechanisms. The XSR automatically adjusts to use one method or the other
based on information stored in the certificates.
CA Hierarchies
In large organizations, it may be advantageous to delegate the responsibility
for issuing certificates to several different CAs. For example, the number of
certificates required may be too large for a single CA to maintain; different
organizational units may have different policy requirements; or it may be
important for a CA to be physically located in the same geographic area as the
people to whom it is issuing certificates.