|
|
This section can make the VPN 5000 concentrator a Public Key Infrastructure (PKI) Certificate Generator (CG).
configure CertificatesAfter entering the configure command for the section, enter one or more of the following keywords.
 |
Note Set the time on the concentrator before using these commands using the Time Server section or the sys clock command. |
CertificateGenerator = {On | Off} | Makes the concentrator a CG. After enabling the concentrator as a CG, use the certificate generate and certificate request commands to create and import certificates. |
ValididyPeriod = days | Sets the default validity period of CG- generated certificates, between 1 and 9999 days. 365 days is the default. You can override this value when you request a certificate using the certificate generate command. |
A PKI certificate system allows a tunnel peer to authenticate another, without having passwords or shared secrets to enter or maintain in a database. A shared secret is a password known by both sides that is used to encrypt and decrypt the data. Certificates are special encrypted text files that are generated by a trusted Certificate Authority (CA) that encrypt and decrypt the data.
|
Note See the VPN 5000 Client User Guide for instructions on installing certificates on the client. |
A peer with its own private certificate can be authenticated by other peers. A device that connects to the peer checks the validity of the certificate by comparing it with a public root certificate. The same CA generates the root certificate, which is available to all peers. The VPN 5000 concentrator supports server-side authentication, where the concentrator has a private certificate (called a "server certificate" in this guide), and clients have a root certificate to authenticate the server.
A CA can generate public and private keys and put them into signed certificates, revoke certificates, and renew certificates. If you are only using certificates on the server, and do not have a CA, which can be expensive and require management, you can use the VPN 5000 concentrator as a certificate generator (CG). The CG can generate signed certificates, but it cannot revoke them or renew them.
Because the root certificate is public, be sure to have a CA or CG for each domain of trust, such as a company. While the VPN 5000 concentrator does not maintain a tunnel with a peer that does not specify a valid group name in the certificate, limiting the CA or CG's domain to related users and servers provides the best security.
Without certificates, when a client connects to the server, the server consults the concentrator consults its internal user list or an external user authentication server, such as RADIUS. The concentrator or RADIUS server then requires a shared secret to establish the tunnel. RADIUS servers also require a password to authenticate the user on the RADIUS server.
Server-side certificate authentication replaces the shared secret portion of a RADIUS, SecurID, or other system authentication process. The internal user list still requires a shared secret.
With a certificate system, an unauthorized user would need physical access to a user's computer. A shared secret, on the other hand, requires only that one password is broken from any location.
[ Certificates ] CertificateGenerator = On ValidityPeriod = 1000
| Command | Description |
|---|---|
certificate generate | Creates a root or server certificate, or a certificate request |
certificate import | Imports a certificate |
certificate request | Removes all certificates |
certificate remove | Checks that the server certificate is valid |
certificate verify | Creates a root or server certificate, or a certificate request |
show certificate | Shows certificate text or details |
Posted: Wed Sep 27 10:50:14 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.