User`s guide

XSR User’s Guide 265

Chapter 11 VPN Configuration Overview

Configuring the Virtual Private Network

 Remove individual certificates using the following commands:

– crypto ca certificate chain

– no certificate - The serial number can be found in the show

crypto ca certificates

command.

 Remove CA identities and all associated CA and IPSec client

certificates by entering

no crypto ca identity <ca name>.

Configuring PKI

The main steps to configure PKI are as follows:

 Obtain the CA name and URL

 Identify the CA, retrieve and authenticate the certificate

 Verify the root certificate was received

 Configure CA retrieval attributes and update CRLs

 Specify a host(s) for the CRL mechanism

 Enroll in an end-entity certificate

 Verify the end-entity certificate is valid

 Optional: change the enrollment retry period and count

For step-by-step instructions, refer to the following PKI Certificate example.

NOTE

If you have multiple CAs in a chained environment, you need only

identify each CA and obtain each CA certificate within the chain using

the

crypto ca identity and crypto ca authenticate commands,

respectively, as illustrated in Step 2 on page 266.

PKI Certificate Enrollment Example

This PKI example illustrates authenticating to and enrolling with a Certificate

Authority (CA) for an end-entity certificate for the IPSec gateway. Local IPSec

uses end-entity certificates to establish SAs for IPSec connectivity. You must

authenticate against all CAs which may have provided certificates to any of

the remote systems that may be building IPSec links to the local system.