25-48
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
Manually creating an enrollment request that you can submit to a CA server offline, by copying the
CA server’s certificates from another device.
Use this method if your device cannot establish a direct connection to the CA server or if you want
to generate an enrollment request and send it to the server at a later time.
Note This method enables you to deploy the PKI policy either to devices or to files.
For more information, see PKI Enrollment Dialog Box, page 25-54.
Note You can also use Cisco Secure Device Provisioning (SDP) to enroll for a certificate for a router. For more
information about using SDP for certificate enrollment, see Secure Device Provisioning on Cisco IOS
Routers, page 60-81.
The following topics explain Public Key Infrastructure configuration in more detail:
Requirements for Successful PKI Enrollment, page 25-48
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page25-50
Defining Multiple IKEv1 CA Servers for Site-to-Site VPNs, page 25-51
Configuring Public Key Infrastructure Policies for Remote Access VPNs, page 25-52
PKI Enrollment Dialog Box, page 25-54
Requirements for Successful PKI Enrollment
The following are prerequisites for configuring a PKI policy in your network:
For IKEv1, the IKE proposal must specify Certificate for the IKE authentication method. See
Configuring IKEv1 Proposal Policy Objects, page 25-10.
The domain name must be defined on the devices for PKI enrollment to be successful (unless you
specify the CA server nickname).
To enroll with the CA server directly, you must specify the server’s enrollment URL.
To enroll with the CA server by means of a TFTP server, you must ensure that the CA certificates
file is saved to the TFTP server. After deployment of the PKI policy, you must copy the certificate
request from your TFTP server to the CA server.
You may specify an RSA public key to use in the enrollment request. If you do not specify an RSA
key pair, the Fully Qualified domain Name (FQDN) key will be used.
If using RSA keys, once the certificate has been granted, the public key is included in the certificate
so that peers can use it to encrypt data sent to the device. The private key is kept on the device and
used to decrypt data sent by peers, and to digitally sign transactions when negotiating with peers.
You can use an existing key pair or generate a new one. If you want to generate a new key pair to
use in the certificate for router devices, you must also specify the modulus to determine the size of
the key.
For more information, see PKI Enrollment Dialog Box—Enrollment Parameters Tab, page25-59.
If you are making a PKI enrollment request on a Cisco Easy VPN IPsec remote access system, you
must configure each remote component (spoke) with the name of the user group to which it
connects. You specify this information in the Organization Unit (OU) field in the Certificate Subject
Name tab of the PKI Enrollment Editor dialog box.