25-52
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
Related Topics
Understanding Public Key Infrastructure Policies, page 25-47
Deciding Which Authentication Method to Use, page 25-8
Step 1 To create the PKI enrollment object, open the PKI Enrollment dialog box. You can access this dialog box
in two ways:
From the Public Key Infrastructure policy—Click the Create (+) button beneath the Selected field.
See Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page25-50.
From the Policy Object Manager (select Manage > Policy Objects)—Select PKI Enrollments from
the Object Type selector, then click the New Object (+) button.
Step 2 Define the global definition of the PKI enrollment object, including the CA server to which the object
refers. Be sure to select Allow Value Override per Device. This option makes the object overridable on
individual devices. See PKI Enrollment Dialog Box, page25-54.
Base the global definition of the object on the CA server that is used by the most devices in the VPN.
Doing this reduces the number of device-level overrides that are required.
Step 3 When you finish defining the PKI enrollment object, click OK. As a result:
If you accessed the dialog box through the PKI policy, the new object appears in the Selected field
of the policy page.
If you accessed the dialog box using the Policy Object Manager, the new object appears in the work
area of the Policy Object Manager window. A green check mark in the Overridable column indicates
that device-level overrides can be created for this object. (The check mark does not indicate whether
any overrides actually exist.)
Step 4 Create the device-level overrides for the PKI enrollment object. You can do this in one of two ways:
From Device Properties (with the device selected in Device view, select Tools > Device
Properties)—This option is recommended when you want to create a device-level override for a
single device. In the device properties, select Policy Object Overrides > PKI Enrollments, select
the PKI enrollment object that you want to override, then click the Create Override button. You can
then define the content of the override, including the CA server defined by the object.
For more information, see Creating or Editing Object Overrides for a Single Device, page6-18.
From the Policy Object Manager—This option is recommended when you want to create a
device-level override for multiple devices at the same time. Double-click the green check mark in
the Overridable column, select the devices to which the override should apply, then define the
content of the override, including the CA server defined by the object.
For more information, see Creating or Editing Object Overrides for Multiple Devices At A Time,
page 6-19.
Configuring Public Key Infrastructure Policies for Remote Access VPNs
You can create a Public Key Infrastructure (PKI) policy to generate enrollment requests for CA
certificates and RSA keys, and to manage keys and certificates. Certification Authority (CA) servers are
used to manage these certificate requests and issue certificates to users who connect to your IPsec or SSL
remote access VPN.