cc/td/doc/product/aggr/vpn5000/5000sw/conc52x/ref52x
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Certificates

Certificates

This section can make the VPN 5000 concentrator a Public Key Infrastructure (PKI) Certificate Generator (CG).

configure Certificates

Keywords

After entering the configure command for the section, enter one or more of the following keywords.


Note   Set the time on the concentrator before using these commands using the Time Server section or the sys clock command.

CertificateGenerator = {On | Off}

Makes the concentrator a CG. After enabling the concentrator as a CG, use the certificate generate and certificate request commands to create and import certificates.

ValididyPeriod = days

Sets the default validity period of CG- generated certificates, between 1 and 9999 days. 365 days is the default. You can override this value when you request a certificate using the certificate generate command.

Usage Guidelines

A PKI certificate system allows a tunnel peer to authenticate another, without having passwords or shared secrets to enter or maintain in a database. A shared secret is a password known by both sides that is used to encrypt and decrypt the data. Certificates are special encrypted text files that are generated by a trusted Certificate Authority (CA) that encrypt and decrypt the data.


Note   See the VPN 5000 Client User Guide for instructions on installing certificates on the client.

Introduction to Certificates

A peer with its own private certificate can be authenticated by other peers. A device that connects to the peer checks the validity of the certificate by comparing it with a public root certificate. The same CA generates the root certificate, which is available to all peers. The VPN 5000 concentrator supports server-side authentication, where the concentrator has a private certificate (called a "server certificate" in this guide), and clients have a root certificate to authenticate the server.

Using the Concentrator as a Certificate Generator for Server-Side Authentication

A CA can generate public and private keys and put them into signed certificates, revoke certificates, and renew certificates. If you are only using certificates on the server, and do not have a CA, which can be expensive and require management, you can use the VPN 5000 concentrator as a certificate generator (CG). The CG can generate signed certificates, but it cannot revoke them or renew them.

Using a CA or CG in a Domain of Trust

Because the root certificate is public, be sure to have a CA or CG for each domain of trust, such as a company. While the VPN 5000 concentrator does not maintain a tunnel with a peer that does not specify a valid group name in the certificate, limiting the CA or CG's domain to related users and servers provides the best security.

Certificates Compared to Shared Secrets

Without certificates, when a client connects to the server, the server consults the concentrator consults its internal user list or an external user authentication server, such as RADIUS. The concentrator or RADIUS server then requires a shared secret to establish the tunnel. RADIUS servers also require a password to authenticate the user on the RADIUS server.

Server-side certificate authentication replaces the shared secret portion of a RADIUS, SecurID, or other system authentication process. The internal user list still requires a shared secret.

With a certificate system, an unauthorized user would need physical access to a user's computer. A shared secret, on the other hand, requires only that one password is broken from any location.

Examples

[ Certificates ]
CertificateGenerator = On
ValidityPeriod = 1000

Related Commands

Command Description

certificate generate

Creates a root or server certificate, or a certificate request

certificate import

Imports a certificate

certificate request

Removes all certificates

certificate remove

Checks that the server certificate is valid

certificate verify

Creates a root or server certificate, or a certificate request

show certificate

Shows certificate text or details


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Sep 27 10:50:14 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.