25-54
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
• To add a new PKI enrollment object, click the Create (+) button below the list of available servers.
The Add PKI Enrollment dialog box opens. For detailed information about the attributes of a PKI
enrollment object, see PKI Enrollment Dialog Box, page 25-54.
• To change the configuration of an existing object, select it in either list and click the Edit (pencil)
button.
PKI Enrollment Dialog Box
Use the PKI Enrollment dialog box to view, create, copy, or edit Public-Key Infrastructure (PKI)
enrollment objects. A PKI enrollment object represents an external certification authority (CA) server
that responds to certificate requests from devices in the network.
You can create PKI enrollment objects to define the properties of a CA server used when devices
exchange certificates as part of an IPsec network. When you create a PKI enrollment object, you define
a name for the server and the URL for enrollment. You must specify whether the devices you wish to
enroll with this server should retrieve the CA server’s own certificate using the Simple Certificate
Enrollment Process (SCEP) or use a certificate that you have entered manually into the device
configuration. You must also select the method of support used by the CA server for revocation checking.
Note You do not have to define enrollment parameters in order to create or import a trustpoint in Security
Manager.
In addition, you can optionally define the following:
• Whether the CA server is acting as a Registration Authority (RA) server.
• Enrollment parameters, including retry settings and RSA key pair settings.
• Additional attributes to include in the certificate request.
• The list of trusted CA servers located above this server in the PKI hierarchy.
Navigation Path
Select Manage > Policy Objects, then select PKI Enrollments from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Tip You can also open this dialog box from the Public Key Infrastructure policy for remote access or
site-to-site VPNs.
Related Topics
• Understanding Public Key Infrastructure Policies, page 25-47
• Requirements for Successful PKI Enrollment, page 25-48
• Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page 25-50
• Configuring IKEv2 Authentication in Site-to-Site VPNs, page 25-62
• Configuring Public Key Infrastructure Policies for Remote Access VPNs, page 25-52
• Policy Object Manager, page 6-4