Enterasys Networks X-PeditionTM manual PKI Certificate Enrollment Example, Configuring PKI

VPN Configuration Overview

–crypto ca certificate chain

–no certificate - The serial number can be found in: show crypto ca certificates

•Remove CA identities and all associated CA and IPSec client certificates by entering no crypto ca identity <ca name>.

Configuring PKI

The main steps to configure PKI are as follows:

•Obtain the CA name and URL

•Identify the CA, retrieve and authenticate the certificate

•Verify the root certificate was received

•Configure CA retrieval attributes and update CRLs

•Specify a host(s) for the CRL mechanism

•Enroll in an end-entity certificate

•Verify the end-entity certificate is valid

•Optional: change the enrollment retry period and count

For step-by-step instructions, refer to the following PKI Certificate example.

Note: If you have multiple CAs in a chained environment, you need only identify each CA and obtain each CA certificate within the chain using the crypto ca identity and crypto ca authenticate commands, respectively, as illustrated in Step 2 on page 14-28.

PKI Certificate Enrollment Example

This PKI example illustrates authenticating to and enrolling with a Certificate Authority (CA) for an end-entity certificate for the IPSec gateway. Local IPSec uses end-entity certificates to establish SAs for IPSec connectivity. You must authenticate against all CAs which may have provided certificates to any of the remote systems that may be building IPSec links to the local system.

1.Begin by asking your CA administrator for your CA name and URL.

The CA’s URL defines its IP address, path and default port (80). You can resolve the CA server address manually by pinging its IP address.

2.Be sure that the XSR time setting is correct according to the UTC time zone so that it is synchronized with the CA’s time. For example:

XSR#clock timezone -5 0

3.Specify the enrollment URL, authenticate the CA and retrieve the root certificate. Check your CA Website to ensure the printed fingerprint matches the CA's fingerprint, which is retrieved from the CA itself, to verify the CA is legitimate. If bona fide, accept the certificate, if not, check that the certificate is deleted and not stored in the CA database. In some cases you may need to specify a particular CA identity name. Consult your administrator for more details.

XSR(config)#crypto ca identity ldapca XSR(config-ca-identity)#enrollment url http://192.168.1.33/certsrv/mscep/ mscep.dll/

XSR(config-ca-identity)#exit XSR(config)#crypto ca authenticate ldapca

14-28 Configuring the Virtual Private Network