Filter
Top Products
25-49
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
Note You do not need to configure the name of the user group on the hub (Easy VPN server).
For more information, see PKI Enrollment Dialog Box—Certificate Subject Name Tab, page 25-61.
• To deploy PKI policies to files (not to live devices), the following prerequisites must be met:
–
Routers must run Cisco IOS Software 12.3(7)T or later.
–
CA authentication certificates must be cut and pasted into the Security Manager user interface
(so that CA authentication is not interactive and does not require communication with the live
device).
• If you are deploying to live devices, the PKI server must be online.
• Security Manager supports the Microsoft, Verisign, and Entrust PKIs.
• Security Manager supports Cisco IOS Certificate Servers. The Cisco IOS Certificate Server feature
embeds a simple certificate server, with limited CA functionality, into the Cisco IOS software. An
IOS Certificate Server can be configured as a FlexConfig policy. For more information, see
Chapter 7, “Managing FlexConfigs”.
• To configure PKI with AAA authorization that uses the entire subject name on an IOS router, use
the predefined FlexConfig object named IOS_PKI_WITH_AAA.
Prerequisites for PKI Enrollment Using TFTP
If you do not have constant direct access to the CA server, you can enroll using TFTP if your devices are
routers running Cisco IOS Software 12.3(7)T or later.
On deployment, Security Manager generates the corresponding CA trustpoint command and authenticate
command. The trustpoint command is configured with the enrollment URL tftp://<certserver>
<file_specification> entry to retrieve the CA certificate using TFTP. If file_specification is not specified,
the FQDN of the router is used.
Before using this option, you must make sure that the CA certificates file (.ca) is saved on the TFTP
server. To do this, use this procedure:
1. Connect to http://servername/certsrv, where servername is the name of the Windows 2000 web
server on which the CA you want to access is located.
2. Select Retrieve the CA certificate or certificate revocation list, then click Next.
3. Select Base64 encoded, then click Download CA certificate.
4. Save the .crt file as a .ca file on the TFTP server using your browser’s Save As function.
After deployment, you must transfer the certificate request generated by Security Manager on the TFTP
server to the CA, and then transfer the device’s certificates from the CA to the device.
Transferring the Certificate Request from the TFTP Server to the CA Server
Security Manager creates a PKCS#10 formatted enrollment request (.req) on the TFTP server. You must
transfer it to the PKI server using this procedure:
1. Connect to http://servername/certsrv, where servername is the name of the Windows 2000 web
server where the CA you want to access is located.
2. Select Request a certificate, then click Next.
3. Select Advanced request, then click Next.
4. Select Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request
using a base64 encoded PKCS #7 file, then click Next.