|
|
Certificates are special encrypted text files that are generated by a trusted Certificate Authority (CA) that encrypt and decrypt the data. A CA can generate public and private keys and put them into signed certificates, revoke certificates, and renew certificates. If you are only using certificates on the server, and do not have a CA, you can use the VPN 5000 concentrator as a certificate generator (CG). The CG can generate signed certificates, but it cannot revoke them or renew them.
The Cisco VPN 5000 concentrator can be configured to be a CG. This section explains how to configure the VPN 5000 concentrator series to be a CG and to set the enroll protocol.
To access the Certificates Configuration window, select Global/Certificate Configuration from the Device view.
| Parameter | Action |
|---|---|
Enable as Certificate Generator | This checkbox sets the server as a CG. |
Validity Period | This sets the validity period for all certificates generated. The default is 365. |
Enroll Protocol | None. This is currently a read-only field. |
After you enable the concentrator as a CG, you must save the configuration to the device. Use the Save to - Device option from the File menu, or click the Save Config to Device icon on the Device toolbar.
 |
Note Before the concentrator can generate a server or root certificate, you must set the system clock. You can do this either by selecting Device Properties from the Database menu, and set the date on the System Clock tab, or by selecting Global/Time Server from the device view. If you choose the time server option this is done automatically. |
For more information system clock settings, see the "System Clock Tab" section, or the "Time Server Dialog Box" section.
The VPN 5000 concentrator supports server-side authentication, where the concentrator has a private certificate, called a server certificate, and clients have a root certificate to authenticate the server.
For a CG, this section describes how to generate a root or server certificate.
To access the Generate Certificate window, select Certificates/Generate Root/Server Certificate from the File menu.
To view the root or server certificate, select one of the Certificates/Show options from the Statistics menu. For more information on the Statistics menu, refer to "The Statistics Menu" section.
| Parameter | Description |
|---|---|
This selection generates a root certificate on the CG. The root certificate is generated in PEM format. | |
Server Certificate | This selection generates a server certificate for the CG. A root certificate must be generated first, or the server certificate will not be signed properly. |
Key Length | 512, 1024, 2048, or 4096 Specifies the number of bits generated for the key. The default is 1024 and is the recommended key length. Larger keys can take the system up to an hour to generate. |
| Options | |
City | A text string with no spaces identifying the city name where the concentrator resides. |
State | A text string with no spaces identifying the full state name where the concentrator resides |
Country Code | A two letter country code where the concentrator resides. |
Organization | A phrase, with spaces allowed, identifying the company name or other organization name. |
Common Name | A phrase, with spaces allowed, identifying the concentrator name, or a description of the certificate. If you do not specify a name, the concentrator uses its device name. |
Validity Period | 1 to 9999 Specifies the validity period of the certificate. If you do not specify a value, the system uses the value set in the Certificate Configuration Dialog Box. See the "Certificates Configuration Window" section. |
To export a root certificate, select Certificates/Export Root Certificate from the File menu.
You will be asked if you want to export the root certificate in X.509 format. Click Yes if you want to export the root certificate in X.509 format. Click No to export in PEM format.
This window displays the last generated root certificate. To export the root certificate, click the Export button. This copies the root certificate to the Windows clipboard, which can be pasted to the application of your choice.
To save the root certificate to a file, click the Save to File button to open a file browser window.
For non-CG servers, this section describes how to request a server certificate.
The non-CG concentrator generates a request certificate to be exported to a CG or Certificate Authority (CA). The CA, or CG then generates a certificate, which must be imported back into the non-CG server.
To access the Generate Certificate Request window, select Certificates/Generate Certificate Request fro the File menu.
| Parameter | Description |
|---|---|
Key Length | 512, 1024, 2048, or 4096 Specifies the number of bits generated for the key. The default is 1024 and is the recommended key length. Larger keys can take the system up to an hour to generate. |
| Options | |
City | A text string with no spaces identifying the city name where the concentrator resides. |
State | A text string with no spaces identifying the full state name where the concentrator resides |
Country Code | A two letter country code where the concentrator resides. |
Organization | A phrase, with spaces allowed, identifying the company name or other organization name. |
Common Name | A phrase, with spaces allowed, identifying the concentrator name, or a description of the certificate. If you do not specify a name, the concentrator uses its device name. |
This command is for non-CG certificate requests. After the concentrator generates a certificate request, you must export it to a CA or CG. The CA takes the certificate request and creates a server certificate.
If your concentrator is non-CG, and you need to import a server certificate from a CA or CG, you must use the command line interface. The Cisco VPN 5000 Manager does not support importing of certificates at this time. See the Cisco VPN 5000 Concentrator Series Command Reference Guide for more information about importing certificates.
To export a certificate request, select Certificates/Export Request from the File menu.
This window displays the last generated certificate request. To export the certificate request, click the Export button. This copies the certificate request in PEM format to the Windows clipboard, which can be pasted to the application of your choice.
To save the certificate request to a file, click the Save to File button to open a file browser window.
This command is for Certificate Generators (CG) only. If you have imported a server certificate using the command line interface, you need to approve or reject the request. The certificate request stays in the server until it has been approved or rejected by an administrator.
To approve or reject certificate requests, select Certificates/Approve (or Reject) from the File menu. This opens a window that displays a list of pending certificate requests.
The Number of Days until Expiration value corresponds to the selected certificate request. The default value is 365 days.
Posted: Wed Sep 27 12:08:47 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.