Scribd Logo
Upload

Welcome to Scribd!

  • Configuring Microsoft Certificate Services

    Uploaded by

    ChuongNguyen
    74 views4 pages
    Configuring Microsoft Certificate Services

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Configuring Microsoft Certificate Services

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    74 views4 pages

    Configuring Microsoft Certificate Services

    Uploaded by

    ChuongNguyen
    Configuring Microsoft Certificate Services

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    A P P E N D I X

    Configuring Microsoft Certificate Services


    This appendix provides additional information on requesting digital certification from the Microsoft
    CA server and configuring ca-identity configuration commands on your gateway. Use this appendix
    with Chapter 6, Configuring Digital Certification.

    Microsoft Certificate Services


    This CA requires that both IPSec peers transact with a Registration Authority (RA), which then
    forwards the requests through to the CA. Both the remote IPSec peer and the local IPSec peer must be
    configured with the both the CA and RA public keys. The CA and RA public keys are signature and
    encryption key pairs, which must be generated and enrolled for authentication to occur.
    For information on configuring Microsoft Certificate Services, see the following URLs:

    Note

    On Setting up a Certificate Authority:


    http://www.microsoft.com/windows2000/library/planning/security/casetupsteps.asp

    On Microsoft Certificate Services Web Pages:


    http://www.microsoft.com/windows2000/library/planning/security/cawebsteps.asp

    On Administering Microsoft Certificate Services:


    http://www.microsoft.com/windows2000/library/planning/security/adminca.asp

    While Cisco Secure VPN Client supports Microsoft Certificate Services, these enrollment
    methods are subject to change over time. Please see the Microsoft web site at
    http://www.microsoft.com for the current enrollment method.

    Cisco Secure VPN Client Solutions Guide


    OL-0259-02

    B-111

    Appendix B

    Configuring Microsoft Certificate Services

    Microsoft Certificate Services

    Microsoft CA Server Topology


    Corporate
    server
    10.1.1.3/24

    192.168.1.2/24

    Internal IP 10.1.2.1
    or IKE Mode Config
    from Pool

    VeriSign
    CA server
    Internet
    NAS

    VPN
    Client

    Corporate
    gateway
    S1
    192.168.1.1/24

    Pool
    10.1.2.1-254
    EO
    10.1.1.1/24

    WWW
    server
    10.1.1.2/24

    Entrust/MSCA
    CA server
    10.1.1.4/24

    41168

    Figure B-1

    Configuring Microsoft CA Identity on Gateway


    This step corresponds to Declaring the CA in Chapter 6, Configuring Digital Certification.
    To enroll your certificate with a Microsoft CA, perform the following tasks, as described in Table B-1:

    Specify the CA

    Specify Compatibility with CAs RA

    Specify CAs Enrollment URL

    Specify LDAP Support

    Specify CRL Option

    Table B-1

    Declare the CA

    Command

    Purpose

    hq_sanjose(config)# crypto ca identity


    example.com

    To declare the CA your router should use, enter


    the crypto ca identity global configuration
    command. This command invokes the ca-identity
    (cfg-ca-id) configuration mode.
    In this example, example.com is defined as the
    domain name for which this certificate is
    requested.

    hq_sanjose(cfg-ca-id)# enrollment mode ra

    To indicate compatibility with the CAs


    Registration Authority (RA) system, enter the
    enrollment mode ra ca-identity configuration
    command.

    hq_sanjose(cfg-ca-id)# enrollment url


    http://microsoft-ca

    To specify the CAs location where your router


    should send certificate requests by indicating the
    CAs enrollment URL, enter the enrollment url
    ca-identity configuration command.
    In this example, http://microsoft-ca is specified as
    the CA server.

    Cisco Secure VPN Client Solutions Guide

    B-112

    OL-0259-02

    Appendix B

    Configuring Microsoft Certificate Services


    Microsoft Certificate Services

    Table B-1

    Declare the CA (continued)

    Command

    Purpose

    hq_sanjose(cfg-ca-id)# query url


    http://microsoft-ca

    To specify Lightweight Directory Access


    Protocol (LDAP) support, enter the query url
    ca-identity configuration command. This
    command is required if your CA supports both
    RA and LDAP. LDAP is a query protocol used
    when the router retrieves certificates and CRLs.
    The default query protocol is Certificate
    Enrollment Protocol (CEP).
    In this example, http://microsoft-ca is specified as
    the LDAP server.

    hq_sanjose(cfg-ca-id)# crl optional

    To allow other peers' certificates to still be


    accepted by your router even if the appropriate
    Certificate Revocation List (CRL) is not
    accessible to your router, use the crl optional
    ca-identity configuration command.

    hq_sanjose(cfg-ca-id)# exit

    To exit ca-identity (cfg-ca-id) configuration


    mode, enter the exit ca-identity configuration
    command.

    Cisco Secure VPN Client Solutions Guide


    OL-0259-02

    B-113

    Appendix B

    Configuring Microsoft Certificate Services

    Microsoft Certificate Services

    Cisco Secure VPN Client Solutions Guide

    B-114

    OL-0259-02

    You might also like