User`s guide
266 XSR User’s Guide
VPN Configuration Overview Chapter 11
Configuring the Virtual Private Network
1 Begin by asking your CA administrator for your CA name and URL.
The CA’s URL defines its IP address, path and default port (80). You can
resolve the CA server address manually by pinging its IP address.
2
Be sure that the XSR time setting is correct according to the UTC time
zone so that it is synchronized with the CA’s time. For example:
XSR)#clock timezone -5 0
3 Specify the enrollment URL, authenticate the CA and retrieve the root
certificate. Check your CA Website to ensure that the printed fingerprint
matches the CA's fingerprint, which is retrieved from the CA itself, to
verify the CA is not a fake. If bona fide, accept the certificate, if not, check
to be sure the certificate is deleted and not stored in the CA database. In
certain situations you may need to specify a particular CA identity name.
Consult your administrator for more information.
XSR(config)#crypto ca identity PKItestca1
XSR(config-ca-identity)#enrollment url
http://192.168.1.33/certsrv/mscep/mscep.dll/
XSR(config-ca-identity)#exit
XSR(config)#crypto ca authenticate PKItestca1
Certificate has the following attributes:
Fingerprint: D423E129 81904CE0 1E6D0FE0 A123A302
Do you accept this certificate? [yes/no] y
4 Display your CA certificates to verify all root and associated certificates
are present. In the RA Mode example below,
PKItestca1 is the root CA of
three certificates. Non-RA Mode CAs return one certificate only.
XSR(config)#show crypto ca certificates
CA Certificate - PKItestca1
State: CA-AUTHENTICATED
Version: V3
Serial Number: 6083684655030387331394927502614112809
Issuer: MAILTO=foo@foo.com, C=US, ST=MA, L=Andover,
O=VPN Engin, OU=Eng, CN=PKI Test Certificate Authority
Valid From: 2002 Jun 4th, 12:40:46 GMT
Valid To: 2004 Jun 4th, 12:48:15 GMT
Subject: MAILTO=foo@foo.com, C=US, ST=MA, L=Andover,
O=VPN Eng, OU=Eng, CN=PKI Test Certificate Authority