Cisco Systems VPN 3000 Administration | Certificate Management

14 Administration

14-40 VPN 3000 Concentrator Series User Guide

To send the certificate request to a CA, enroll, and receive your digital certificates, follow these steps.

(These are cut-and-paste steps; your CA may follow different procedures. In any case, you must end up

with certificates saved as text files on your PC or other reachable network host.)

1Select and copy the certificate request from the browser window to your clipboard.

2Use a browser to connect to the CA’s Web site. Navigate to the screen that lets you submit a PKCS-10

request via cut-and-paste.

3Paste the certificate request in the CA screen, and submit the request.

4The CA should respond with a new browser screen that says the certificates were successfully

generated. That screen also should include active links that let you “Download the root certificate”

and “Download the identity certificate.”

5With the secondary mouse button, click the root certificate download link and select Save Link As or

Save Target As. You want to save the file as a text file on your PC or other reachable network host; do

not open it or install it in the browser. The browser opens a dialog box that lets you navigate to the

desired location and enter a filename. Use a name that clearly identifies this as a root certificate, with

a .txt extension.

6Repeat the previous step for any subordinate certificates, and finally for the identity certificate. Name

the files so that you can distinguish the certificate types.

7Proceed to the Administration | Certificate Management | Installation screen below.

Administration | Certificate Management | Installation

This Manager screen lets you install digital certificates on the VPN Concentrator.

You can install certificates obtained via enrollment with a CA in a PKI (where the private key is

generated on—and stays hidden on—the VPN Concentrator, or you can install certificates imported

along with the private key from some source (PKCS-12 format). The latter certificate installation

process is not secure, and we strongly recommend not using it unless you are absolutely certain of its

integrity.

Note: You must install the CA root certificate first, then install any other subordinate certificates from the CA.

Install the identity certificate last.

You can also install an SSL server identity certificate issued in a PKI context (not a self-signed SSL

certificate). If you install such a certificate, it replaces any self-signed SSL certificate. The VPN

Concentrator can have only one SSL certificate, regardless of type.