beautypg.com

Configuring pki, Pki certificate enrollment example, Configuring pki -28 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 350: Pki certificate enrollment example -28

background image

VPN Configuration Overview

14-28 Configuring the Virtual Private Network

crypto ca certificate chain

no certificate

- The serial number can be found in:

show crypto ca certificates

Remove CA identities and all associated CA and IPSec client certificates by entering

no

crypto ca identity

.

Configuring PKI

The main steps to configure PKI are as follows:

Obtain the CA name and URL

Identify the CA, retrieve and authenticate the certificate

Verify the root certificate was received

Configure CA retrieval attributes and update CRLs

Specify a host(s) for the CRL mechanism

Enroll in an end-entity certificate

Verify the end-entity certificate is valid

Optional: change the enrollment retry period and count

For step-by-step instructions, refer to the following PKI Certificate example.

PKI Certificate Enrollment Example

This PKI example illustrates authenticating to and enrolling with a Certificate Authority (CA) for
an end-entity certificate for the IPSec gateway. Local IPSec uses end-entity certificates to establish
SAs for IPSec connectivity. You must authenticate against all CAs which may have provided
certificates to any of the remote systems that may be building IPSec links to the local system.

1.

Begin by asking your CA administrator for your CA name and URL.

The CA’s URL defines its IP address, path and default port (80). You can resolve the CA server
address manually by pinging its IP address.

2.

Be sure that the XSR time setting is correct according to the UTC time zone so that it is
synchronized with the CA’s time. For example:

XSR#clock timezone -5 0

3.

Specify the enrollment URL, authenticate the CA and retrieve the root certificate. Check your
CA Website to ensure the printed fingerprint matches the CA's fingerprint, which is retrieved
from the CA itself, to verify the CA is legitimate. If bona fide, accept the certificate, if not,
check that the certificate is deleted and not stored in the CA database. In some cases you may
need to specify a particular CA identity name. Consult your administrator for more details.

XSR(config)#crypto ca identity ldapca
XSR(config-ca-identity)#enrollment url http://192.168.1.33/certsrv/mscep/
mscep.dll/
XSR(config-ca-identity)#exit
XSR(config)#crypto ca authenticate ldapca

Note: If you have multiple CAs in a chained environment, you need only identify each CA and obtain
each CA certificate within the chain using the crypto ca identity and crypto ca
authenticate commands, respectively, as illustrated in Step 2 on

page 14-28

.

See also other documents in the category Enterasys Networks Hardware: