25-50
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
5. Either select browse for a file (and browse to the TFTP server and select the .req file) or open the
just received by TFTP .req file with WordPad/Notepad and copy/paste the contents in the first
window.
6. Export the .crt file from the CA and put it on the TFTP server.
7. Configure the ‘crypto ca import <label> certificate’ to import the device’s certificates from the tftp
server.
Related Topics
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page25-50
Configuring Public Key Infrastructure Policies for Remote Access VPNs, page 25-52
PKI Enrollment Dialog Box, page 25-54
Configuring a User Group Policy for Easy VPN, page 27-14
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs
You can create a Public Key Infrastructure (PKI) policy to generate enrollment requests for CA
certificates and RSA keys, and to manage keys and certificates. Certification Authority (CA) servers are
used to manage these certificate requests and issue certificates to the participating devices in your VPN
topology.
In Security Manager, CA servers are predefined as PKI enrollment objects that you can use in your PKI
policies. A PKI enrollment object contains the server information and enrollment parameters that are
required for creating enrollment requests for CA certificates.
For more information about Public Key Infrastructure policies, see Understanding Public Key
Infrastructure Policies, page 25-47.
This procedure describes how to specify the CA server that will be used to create an IKEv1 Public Key
Infrastructure (PKI) policy in your VPN topology.
Tip For information on specifying CA servers for use in IKEv2 negotiations, see Configuring IKEv2
Authentication in Site-to-Site VPNs, page 25-62.
Before You Begin
For important information about successfully configuring PKI, see Requirements for Successful PKI
Enrollment, page 25-48.
Related Topics
Defining Multiple IKEv1 CA Servers for Site-to-Site VPNs, page 25-51
Deciding Which Authentication Method to Use, page 25-8
Filtering Items in Selectors, page 1-42
Step 1 Do one of the following:
(Site-to-Site VPN Manager Window) Select an existing topology and then select IKEv1 Public Key
Infrastructure in the Policies selector.
(Policy view) Select Site-to-Site VPN > IKEv1 Public Key Infrastructure, and then select an
existing policy or create a new one.