Manuals / Cisco Systems / Household Appliance / Home Safety Product

Cisco Systems VPN 3002 manual Obtaining SSL Certificates

Models: VPN 3002

1 282

Download 282 pages 2.25 Kb

Page 154

Obtaining SSL Certificates

Obtaining SSL Certificates

If you use a secure connection between your browser and the VPN 3002, the VPN 3002 requires an SSL certificate. You only need one SSL certificate on your VPN 3002.

When you initially boot the VPN 3002, a self-signed SSL certificate is automatically generated. Because

aself-signed certificate is self-generated, this certificate is not verifiable. No CA has guaranteed its identity. But this certificate allows you to make initial contact with the VPN 3002 using the browser. If you want to replace it with another self-signed SSL certificate, follow these steps:

Step 1 Display the Administration Certificate Management screen. (See Figure 12-19.)

Step 2 Click Generate above the SSL Certificate table. The new certificate appears in the SSL Certificate table, replacing the existing one.

If you want to obtain a verifiable SSL certificate (that is, one issued by a CA), follow the same procedure you used to obtain identity certificates. (See the Enrolling and Installing Identity Certificates section.) But this time, on the Administration Certificate Management Enroll screen, click SSL certificate (instead of Identity certificate).

Some web servers export their SSL certificates with the private key attached. If you have a PEM-encoded certificate with a corresponding private key that you want to install, follow the same procedure you used to obtain identity certificates. (See the Enrolling and Installing Identity Certificates section.) But this time, on the Administration Certificate Management Installation screen, click Install SSL certificate with private key (instead of Install certificate obtained via enrollment).

Image 154

Cisco Systems VPN 3002 manual Obtaining SSL Certificates

Contents

Cisco Systems, Inc Release NovemberCorporate Headquarters 170 West Tasman Drive San Jose, CAVPN 3002 Hardware Client Reference Copyright 2001, Cisco Systems, IncConfiguration | System ConfigurationSystem Configuration C O N T E N T SConfiguration | System | IP Routing Configuration | System | Servers | DNSConfiguration | System | Tunneling Protocols Configuration System Management ProtocolsAdministration | Ping Configuration | Policy ManagementAdministration Administration | Access RightsMonitoring | Live Event Log MonitoringMonitoring | Routing Table Monitoring | System StatusMonitoring | Statistics | MIB-II Files for Troubleshooting A-1LED Indicators Monitoring | Statistics | MIB-II| IPContents viii78-13782-01 Organization PrefacePrerequisites ChapterDescription ChapterTitle ChapterVPN 3000 Series Concentrator Documentation Related DocumentationVPN 3002 Hardware Client Documentation VPN Client DocumentationConvention Documentation conventionsOther References boldface fontWorld Wide Web Obtaining DocumentationData Formats Documentation CD-ROMDocumentation feedback Obtaining technical assistanceOrdering documentation Cisco.comTechnical Assistance Center Contacting TAC by using the Cisco TAC websiteContacting TAC by telephone VPN 3002 Hardware Client Reference Preface Obtaining technical assistanceOL-1893-01 VPN 3002 Hardware Client Browser Requirements Using the VPN 3002 Hardware Client ManagerC H A P T E R JavaScript and Cookies Connecting to the VPN 3002 Using HTTPRecommended PC Monitor/Display Settings Navigation ToolbarVPN 3002 Hardware Client Reference Installing the SSL Certificate in Your BrowserInstalling the SSL Certificate in Your Browser OL-1893-01Figure 1-2Install SSL Certificate Screen 4.Click Install Certificate 5.Click Next to continue 7.Click Finish Viewing Certificates with Internet Explorer Installing the SSL Certificate with Netscape First-timeInstallation Reinstallation1-10 1-11 2.Click Next> to proceed1-12 8.Click Continue 1-13Viewing Certificates with Netscape 1-141-15 Click OK when finishedConfiguring HTTP, HTTPS, and SSL Parameters Connecting to the VPN 3002 Using HTTPS1-16 Logging into the VPN 3002 Hardware Client Manager 1-17Logging into the VPN 3002 Hardware Client Manager 1-18Figure 1-27Manager Main Welcome Screen VPN 3002 Hardware Client Reference1-19 Interactive Hardware Client AuthenticationIndividual User Authentication VPN 3002 Hardware Client ReferenceThe Connection/Login Status screen displays Step 1 Click the Connection Login Status button1-20 Step 1 Click the Connect Now buttonFigure 1-31Connection Login Status Screen 1-21Step 2 Click Connect Figure 1-32Individual User Authentication Screen 1-22Figure 1-33Connection/Login Status Screen VPN 3002 Hardware Client Reference 1-23OL-1893-01 Mouse pointer and tips Title barStatus bar Top frameTable of Contents ResetRestore ConfigurationManager screen Open or expandedMain frame 1-261-27 –Interfaces: Ethernet parameters1-28 Navigating the VPN 3002 Hardware Client ManagerFigure 1-35Manager Table of Contents Configuration ConfigurationC H A P T E R VPN 3002 Hardware Client Reference Chapter 2 Configuration ConfigurationOL-1893-01 Interfaces Configuration | InterfacesC H A P T E R DNS Servers InterfaceEthernet 1 Private, Ethernet 2 Public DNS Domain NameIP Address Default GatewayStatus Subnet MaskStatic IP Addressing Configuration | Interfaces | PrivateDisabled IP AddressSpeed Apply/CancelSubnet Mask DuplexPPPoE Client Configuration | Interfaces | PublicDHCP Client DisabledPPPoE User Name PPPoE PasswordVerify PPPoE Password Static IP AddressingDuplex Apply / CancelReminder Configuration | System System ConfigurationC H A P T E R VPN 3002 Hardware Client Reference Chapter 4 System ConfigurationConfiguration | System OL-1893-01Servers Configuration | System | ServersConfiguration | System | Servers | DNS C H A P T E RPrimary DNS Server EnabledDomain Secondary DNS ServerApply / Cancel Timeout PeriodTimeout Retries Configuration | System | Servers | DNSVPN 3002 Hardware Client Reference Configuration | System | Servers | DNSChapter OL-1893-01Tunneling C H A P T E RConfiguration System Tunneling Protocols Backup Servers Remote ServerAbout Backup Servers IPSec over TCP IPSec over TCP PortGroup Use CertificateCertificate Transmission About IPSec over TCPVerify PasswordUser PasswordOL-1893-01 ChapterVPN 3002 Hardware Client Reference TunnelingIP Routing Configuration | System | IP RoutingC H A P T E R Reminder Static RoutesAdd / Modify / Delete Chapter 7 IP RoutingMetric Network AddressSubnet Mask Destination Router Address Add or Apply / CancelDestination InterfaceMetric Default GatewayApply / Cancel ReminderAddress Pool Start/End Configuration | System | IP Routing | DHCPLease Timeout EnabledApply/Cancel DHCP OptionAdd/Modify/Delete ReminderDHCP Option Option ValueReminder Nonconfigurable DHCP Options VPN 3002 Hardware Client Reference 7-10Chapter 7 IP Routing OL-1893-01Management Protocols Configuration | System | Management ProtocolsC H A P T E R Enable HTTP About HTTP/HTTPSHTTP Port Enable HTTPSEnable HTTPS on Public HTTPS PortChapter 8 Management Protocols Enable TelnetVPN 3002 Hardware Client Reference Telnet/SSL Port Enable Telnet/SSLTelnet Port Maximum ConnectionsMaximum Queued Requests Enable SNMPSNMP Port Apply / CancelReminder Add/Modify/Delete Community StringsCommunities | Add or Modify ReminderAdd or Apply / Cancel Community StringReminder 8-10 Related informationEncryption Algorithms Client Authentication8-11 8-12 SSL VersionGenerated Certificate Key Size Apply/CancelVPN 3002 Hardware Client Reference 8-13Chapter 8 Management Protocols OL-1893-01SSH Port Enable SSHEnable SSH on Public Key Regeneration PeriodTo apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen 8-15Apply / Cancel ReminderEnable HTTPS on Public Enable XML8-16 Chapter 8 Management ProtocolsSSH IP Address HTTPS IP AddressHTTPS Wildcard-mask SSH Wildcard-maskVPN 3002 Hardware Client Reference 8-18Chapter 8 Management Protocols OL-1893-01Class Description Event Source EventsEvent Class Class NameCisco-specificEvent Class Class Description Event SourceClass Name EVENTMIBCategory Event Severity LevelLevel DescriptionEvent Log Event Log DataConfiguration System Events General Configuration | System | EventsFigure 9-1Configuration | System | Events Screen Syslog Format StringSeverity to Syslog Severity to LogSeverity to Console Cisco IOS SeveritySeverity to Trap Configuration | System | Events | ClassesConfigure either General event To send this “well-known”Add/Modify/Delete Configured Event ClassesReminder Modify screen EnableClass Name 9-10Severity to Console Add or Apply/Cancel9-11 Severity to SyslogAdd/Modify/Delete Trap Destinations9-12 Chapter9-13 SNMP VersionCommunity Destination9-14 Configuration System Events Syslog ServersPort Add or Apply/CancelAdd/Modify/Delete Syslog Servers9-15 Reminder9-16 Syslog ServerFacility PortTo add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list 9-17Add or Apply/Cancel ReminderVPN 3002 Hardware Client Reference 9-18Chapter OL-1893-0110-1 Configuration | System | GeneralGeneral C H A P T E RContact Configuration | System | General | IdentificationSystem Name LocationCurrent Time Configuration | System | General | Time and DateEnable DST Support New TimeReminder 10-4Configuration | System | General | Time and Date Chapter 10 GeneralClient Mode with Split Tunneling Policy ManagementClient Mode/PAT 11-1Chapter 11 Policy Management Network Extension Mode11-2 Network Extension ModeNetwork Extension Mode with Split Tunneling 11-3Step 2 Click Connect Now Tunnel InitiationData Initiation 11-4Mode Configuration | Policy ManagementTraffic Management Tunneling Policy11-6 Configuration Policy Management TrafficManagement | PAT EnableApply/Cancel PAT Enabled11-7 ReminderVPN 3002 Hardware Client Reference 11-8Chapter 11 Policy Management OL-1893-0112-1 AdministrationAdministration C H A P T E R12-2 Administration | Software UpdateFigure 12-1Administration Screen Browse Upload/CancelCurrent Software Revision 12-3Software Update Error Software Update ProgressSoftware Update Success 12-4Chapter 12 Administration Administration | System Reboot12-5 Administration | System Reboot12-6 ConfigurationAction Figure 12-6Administration | System Reboot Screen12-7 Administration | PingWhen to Reboot/Shutdown Apply/CancelAddress/Hostname to Ping Ping/CancelError Ping Success Ping12-9 Administration | Access RightsAdministration | Access Rights | Administrators Figure 12-10Administration | Access Rights ScreenVerify AdministratorPassword 12-10Encrypt Config File Administration | Access Rights | Access SettingsSession Idle Timeout Session LimitDelete Administration | File ManagementView Save 12-12OK/Cancel Swap Config FilesConfig File Upload via HTTP 12-1312-14 Local Config File/BrowseFile Upload Progress Upload/CancelFile Upload Success File Upload Error12-15 Certificate Management Enrolling and Installing Digital Certificates12-16 12-17 12-18 Installing CA Certificates Manually 12-19Abbrev Enrolling and Installing Identity CertificatesRecommended Content Field Name12-21 Verify Challenge Password12-22 12-23 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA12-24 12-25 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure12-26 Certificate Obtained via Enrollment Screen12-27 Obtaining SSL Certificates Enabling Digital Certificates on the VPN 12-29Deleting Digital Certificates 12-30Certificate Authority Administration | Certificate Management12-31 Identity Certificates Table ContentCertificate Authorities Table FieldsSSL Certificate Table Generate 12-33Subject/Issuer 12-34Content Fields12-35 Enrollment Status TableRemove All ContentField 12-36Content StatusSSL Certificate Administration | Certificate Management | EnrollIdentity Certificate 12-37Enroll via PKCS10 Request Manual Install a New SA Using SCEP before EnrollingType Enroll via SCEP at Name of SCEP CAFields Enroll / Cancel12-39 12-40 Go to Certificate ManagementGo to Certificate Enrollment Chapter 12 Administration12-41 Go to Certificate InstallationFields Chapter 12 Administration 12-42Enroll / Cancel VPN 3002 Hardware Client Reference12-43 CancelEnroll FieldsInstall SSL Certificate with Private Key Administration | Certificate Management | InstallInstall CA Certificate Install Certificate Obtained via EnrollmentEnrollment Status Table 12-45Certificate Obtained via Enrollment Screen Upload File from Workstation SCEP Simple Certificate Enrollment ProtocolCut & Paste Text 12-46CA Descriptor Retrieve / Cancel12-47 12-48 Install / CancelCertificate Text PasswordPassword Filename / Browse12-49 Install / CancelChapter 12 Administration Administration | Certificate Management | View12-50 Administration | Certificate Management | ViewContent Certificate Fields12-51 FieldContent Back12-52 FieldSCEP Configuration Administration | Certificate Management |Configure CA Certificate Certificate12-54 Administration | Certificate Management | RenewalPolling Limit Apply / CancelRenew / Cancel Challenge PasswordVerify Challenge Password Renewal TypeStatus 12-56Go to Certificate Installation Go to Certificate Management12-57 Administration | Certificate Management | DeleteFields 12-58 View Enrollment RequestYes / No Administration | Certificate Management |Content Enrollment Request Fields12-59 FieldAdministration Certificate Management Cancel Enrollment Request12-60 ContentAdministration | Certificate Management | Delete Enrollment Request12-61 FieldsYes / No 12-62Fields To delete this enrollment request, click YesC H A P T E R Monitoring13-1 Figure 13-1Monitoring ScreenValid Routes Monitoring | Routing TableClear Routes AddressMetric Monitoring | Filterable Event Log13-3 Severities Select Filter OptionsEvent Class Client IP AddressClear Log Event Log FormatGet Log There is no undoEvent Severity Monitoring | Live Event LogEvent Time Event Class/NumberClear Display TimerPause Display/Resume Display RestartMonitoring | System Status ResetRestore 13-8VPN Client Type Bootcode RevRefresh Software RevDuration AuthenticationTunnel Established to Security AssociationsOther Front PanelBack Panel 13-11Refresh 13-12Restore BackRx Multicast Rx UnicastTx Unicast Tx MulticastMonitoring | User Status Cisco IP Phone Bypass Enabled/DisabledLogin Time UsernameMonitoring | Statistics 13-15Reset Monitoring Statistics IPSec13-16 RestoreTotal Tunnels IKE Phase 1 StatisticsActive Tunnels Received BytesInvalid Phase-2Exchanges Received Received Phase-2ExchangesSent Phase-2Exchanges Invalid Phase-2Exchanges SentInitiated Tunnels Phase-2SA Delete Requests SentAuthentication Failures Failed Initiated Tunnels13-20 IPSec Phase 2 StatisticsReceived Packets Dropped Anti-Replay Active TunnelsOutbound Authentications Inbound AuthenticationsFailed Inbound Authentications Failed Outbound Authentications13-22 Monitoring Statistics HTTPProtocol Use Failures System Capability FailuresPackets Sent Sockets/Sessions Octets Sent/ReceivedPackets Sent/Received PeakHTTP Sessions Login NameLogin Time Max Connections13-25 Monitoring | Statistics | TelnetActive Sessions ResetSuccessful Sessions Inbound Octets CommandAttempted Sessions Telnet SessionsResponses Monitoring | Statistics | DNSRequests 13-27Server Unreachable TimeoutsMonitoring | Statistics | SSL Other FailuresUnencrypted Outbound Octets Unencrypted Inbound OctetsEncrypted Inbound Octets Encrypted Outbound OctetsMaximum Active Leases Monitoring | Statistics | DHCPActive Leases 13-30Leased IP Address Pool StartPool End Time LeftReset Monitoring | Statistics | SSH13-32 Restore13-33 SSH SessionsRemote IP Address:Port Login Name13-34 Monitoring | Statistics | NATPackets In/Out ResetTranslations Peak NAT SessionsTranslations Active Translations Total13-36 Monitoring | Statistics | PPPoETranslated Bytes/Packets ResetPADR Timeouts PPPoE Access ConcentratorPADI Timeouts User NamePADT Tx Generic Errors RxPADT Rx Malformed Packets RxMonitoring | Statistics | MIB-II 13-39Reset Monitoring | Statistics | MIB-II| Interfaces13-40 RestoreMulticast In Unicast InUnicast Out Multicast Out13-42 Monitoring | Statistics | MIB-II| TCP/UDPTCP Segments Received ResetTCP Segments Transmitted TCP Timeout MinTCP Timeout Max TCP Segments RetransmittedTCP Current Established TCP Established ResetsUDP Errored Datagrams UDP Datagrams ReceivedReset Monitoring | Statistics | MIB-II| IP13-45 RestorePackets Received Total Packets Received Header ErrorsPackets Received Address Errors Packets Received Unknown ProtocolsReassembly Failures Fragments Needing ReassemblyReassembly Successes Outbound Packets with No Route13-48 Monitoring Statistics MIB-II ICMPTotal Received/Transmitted ResetDestination Unreachable Received/Transmitted Errors Received/TransmittedParameter Problems Received/Transmitted Time Exceeded Received/TransmittedAddress Mask Requests Received/Transmitted Timestamp Requests Received/TransmittedTimestamp Replies Received/Transmitted Address Mask Replies Received/TransmittedRefresh Monitoring | Statistics | MIB-II| ARP Table13-51 Chapter 13 MonitoringAction/Delete Physical AddressMapping Type 13-52Reset Monitoring | Statistics | MIB-II| Ethernet13-53 RestoreCarrier Sense Errors Alignment ErrorsFCS Errors SQE Test ErrorsExcessive Collisions MAC Errors: TransmitMAC Errors: Receive Speed MbpsBad Version Monitoring | Statistics | MIB-II| SNMPRequests Received 13-56Silent Drops Parsing ErrorsBad Community String Proxy DropsMonitoring | Statistics | MIB-II| SNMP 13-58Chapter 13 Monitoring VPN 3002 Hardware Client ReferenceConsole Access Using the Command-LineInterfaceAccessing the Command-lineInterface 14-1Telnet or Telnet/SSL access Starting the Command-lineInterface14-2 Entering Values Using the Command-lineInterfaceChoosing Menu Items 14-3Navigating Quickly Using Shortcut Numbers14-4 Getting Help Information Using Back and Home14-5 Understanding Access Rights Saving the Configuration FileStopping the Command-lineInterface 14-61.2 Configuration > Interface Configuration 1Configuration1.1 Configuration > Quick Configuration Menu Reference1.3Configuration > System Management 1.3.1Configuration > System Management > Servers1.4Configuration > Policy Management 2Administration2.1 Administration > Software Update 2.4Administration Access Rights 2.2Administration > System Reboot2.3Administration > Ping 14-102.5 Administration > File Management 2.6Administration > Certificate Management3 Monitoring 3.2.2 Monitoring > Event Log > View Event Log 3.1 Monitoring > Routing Table3.2Monitoring > Event Log 3.3 Monitoring > System Status3.4 Monitoring > User Status 3.5Monitoring > General StatisticsEvent Logs Troubleshooting and System ErrorsFiles for Troubleshooting Crash Dump FileVPN 3002 Front LEDs LED IndicatorsConfiguration Files Crash Dump FilePossible Solution System ErrorsProblem or Symptom VPN 3002 Rear LEDsthe VPN 3002 Hardware Client User Reference Settings on the VPN ConcentratorSeries Concentrator Reference Volume on Connect NowVPN 3002 Hardware Client Manager Errors Invalid Login or Session TimeoutLogin ProblemSolution Manager Logs OutBack or Forward on Error MessageIncorrect Display Possible causeSolution Not Allowed MessageProblem Possible causeProblem Not Foundinterface supported SolutionA-10 Command-lineInterface ErrorsError ProblemI N D E NumericsIN-1 errors A-10 See CLIIN-2 help commandIN-3 IN-4 IN-5 IN-6 IN-7 See also tunnel IN-8IN-9 IN-10 IN-11 VPN 3002 Hardware Client Reference IN-12Index OL-1893-01