Advanced Certificate Request Template - DOC

Document Sample
Advanced Certificate Request Template - DOC Powered By Docstoc
					                            Office of Administration
                           Enterprise Security Team

                        CWOPA Request a Certificate
                            Renewal Manual

                                           Version History
   Date       Version           Modified By       Section(s)                     Comment
11/04/2008    1.0        Sante DeMichiel          All           Production doc
12/29/2008    1.1        Sante DeMichiel          passwords
12/29//2008   1.1        Sante DeMichiel          I.E. 7.
03/17/2009    1.2        Sante DeMichiel          Request a     Template: must be CoPA Authentication
                                                  certificate   Session-Auto
CWOPA Request a Certificate Renewal

Introduction………………………………                                   Page 03

Download Issues…………………………                                  Page 03
Username / Password invalid and Certificate Installation

Set up RAS VPN users with certificates

      A. Checklist before installs……………………………                Page 04

      B. Request a Certificate ………………..………... …….           Page 07

      C. Export Certificate ……………….. ……………………               Page 14
            1. Install Certificate Management Console
            2. Export certificate to Cisco store……………...    Page 18

      D. Cisco VPN Client Configuration ………                 Page 24
         1. Import the certificate into the VPN client.

      E. Apply certificate to connection entries………..       Page 26

      F. Delete old / Expired Digital certificates………       Page 28


Digital Certificates are good for one year from time of “Request”.

Download a Certificate and configure prior to Certificate Expiration Date.
   You are either notified by your Agency IT staff to “Request a Certificate” or when you
     RAS into the Commonwealth and authenticate, your VPN Client displays a Message:

    The PC, Laptop MUST display the correct time. (Daylight saving time patch applied)
    Windows XP Home Edition will not work with “Request a certificate” option. You must
      be on the Commonwealth Network or have your POC request it using your credentials.
    Internet Explorer 6.0 and 7.0, no Netscape, etc, Web site might not be viewable)
    User not being prompted for cwopa\Username and password when connecting to See Appendix A.

1) Microsoft Internet Explorer, Unable to install certificate: Error 0x80090016
   a) Certificate is corrupt; if a Non Commonwealth owned PC / Laptop, call your software
      support to correct Internet Explorer. Usually an XP Home Edition OS.
   b) If a Commonwealth PC / Laptop, contact Agency affiliated with

A. VPN Client Download and installation issues
       – Contact PA Team at 717.506-HELP (4357)

B. CWOPA Username / Password invalid
     - Tier 1: Your Agency POC / Agency Help Desk

C. Certificate Installation
     - Tier 1: Your Agency POC / Agency Help Desk
     - Tier 2: Enterprise Security Team Help Desk (717.772-8606)

C. Dial-In/ Broadband Connection
      - Tier 1: Your Agency POC/Agency Help Desk
      - Tier 2: Enterprise Security Team Help Desk (717.772-8606)

Appendix A. Checklist before installs
   1. Open Internet Explorer.
   2. Disable any Proxy Server Settings.
          Administrative rights are required to perform the following steps .
          The proxy settings and Surf Control settings may be re-enabled once the
            certificate has been downloaded.)

On the menu bar select Tools > Internet Options

Click the Connections tab.

Select the “LAN Setting…at the bottom of the page”

Uncheck – Use a Proxy Server Settings, if it is checked….

Click OK

User not being prompted for cwopa Username and password?
Click the Security tab.

Highlight the Internet icon.

Click on the Custom Level… button.

Scroll to the bottom of the window to User Authentication > Logon.

Select the radio button for Prompt for user name and password.

Answer Yes when prompt to “change security settings”
- Repeat these steps for Local Intranet and for Trusted Sites

Appendix B. Request a Certificate
Step 1.
    Open Internet Explorer to
    Click on “Click here”

   If you DO NOT get the Logon Screen…..see Appendix A – set Security tab.

Click Yes, if you get this screen

Step 2.
    Login with your cwopa Username and Password. The Username must be prefixed by
    W2000 Users will have the Domain line displays and can enter cwopa there.

Click on OK

Step 3. Click on Request a certificate Link

Step 4. Click on the “Create and submit a request to this CA.” link

Advanced Certificate Request
Certificate Template: CoPA Authentication Session-Auto – use the drop down to change if
Key Options: CSP: Microsoft Strong Cryptographic Provider.

Click “Submit >” button – to start generating a request.

Select Yes if box below displays…..

Step 5. Click the “Set Security Level” Button

Select “High” to make this certificate password protected.

Click “Next>” button.

In the box Password for:
     For Windows XP this box will appear as below. No changes need to be made to this box.
     For Windows 2000 machines this box will be empty. Enter your cwopa username.

In the Password: and Confirm: boxes:
     Enter a unique Password that will also be used thru the Export and Import process.
     Anything alpha and / or numeric will work.
     Certificate is good for 1 year.

Click “Finish” Button

You get the Box below…Click the “OK” button

Step 6. Select “Install this certificate”. (Be sure to wait until the certificate icon appears.)

Click Yes. The next screen may take a few minutes to appear.

When the certificate is installed you will see the following message.
Click X to close

Appendix C. Export Certificate.
NOTE: If the “Certificate” Snap-in was already added (you already have an existing Certificate
on this PC / Laptop) Skip   to 2. Export certificate to Cisco store.
1. Install Certificate Management Console
  If the Certificate Management Console has not been added to your machine, follow the instructions

Go to Start > Run, and type mmc in the Open box.
Click OK.

Click on File > Add / Remove Snap-in
(if you have an older version of the mmc, use Console > Add / Remove Snap-in)

Click on Add

Select Certificates. Click on Add

Select My user account
Click on Finish

Click the Close button

Click OK button

Select File > Save the msc file – under the Administrative Tools Folder. Exit Console1

   2. Export certificate to Cisco store.

Launch Internet Explorer.
    Click on “Tools” button.
    Select Internet Options
    Select the “Content” tab.
    Click on the “Certificates…” button


Select your CWOPA certificate:
    There should only be one unless you had are download and installed multiple Digital
       Certificates for your Agency, you only need one.
    Highlight the Certificate.
    Click the “Export…” button.

Click on Next > to start the wizard.

Select Yes, export the private key
click Next >

Under Select the format you want to use: all options should be grayed out. If they are not, the certificate you are
working on is invalid. Download another certificate and be sure to set the Security Level to High.
If the ‘DER” line is Highlighted, STOP, certificated was downloaded incorrectly. Back to Append B.

Put a check mark to all the options under Personal Information Exchange – PKCS #12 (.PFX).

Click Next > button

In Password: and Confirm password: enter the SAME password you used during the
“Request a Certificate” process.

Click Next > button

Click on Browse... button

Save the certificate to the My Documents folder.

Enter the certificate File Name: as the cwopa username and click on Save

The path to the certificate will appear in the File Name box.
(The extension of the filename will be pfx.)

Click Next > button

Click Finish button.

In CryptoAPI Private Key: enter the SAME password you used during the “Request a Certificate”
       Click OK button

Click on OK and Close I.E.. Export was successful….

Appendix D. Cisco VPN Client Configuration
      Import the certificate into the VPN client.

Open the Cisco VPN Client - Start > Programs > Cisco Systems VPN Client > VPN Client.
Brings up the below screen
Click on the Certificates Tab.
Click on the Import Icon button.

In the Import Path box, enter the path to the certificate file. (My Documents\username.pfx).

In Import Password: enter the SAME password you used during the “Request a Certificate” process.
In New Password & Confirm Password: enter the SAME password you used during the “Request a
Certificate” process.

Click Import button

Click OK

The Broadband and Dial-in Configurations will appear on the VPN Client’s Connection Entries tab. (If
they do not appear, there is something wrong with the VPN client.
    Uninstall the Cisco VPN client and reinstall

E. Apply certificate to connection entries.
Highlight CoPA RAS over ISP-Broadband and / or Dial-Up click on the Modify button.

Under Authentication, click on the drop-down arrow next to the Name: box.

Select the appropriate certificate.
The certificate should be identified by the cwopa username and followed by (Cisco).

Do NOT select the Microsoft certificate.

Click Save button.

Now apply the Certificate to CoPA_RAS_over_CoPa_Dial-up properties

F. Delete old / Expired Digital certificates.
       Open the Cisco VPN Client
       Start > Programs > Commonwealth of Pa. VPN Client” or “Cisco Systems VPN Client
Folder > VPN Client / connect

      Select the “Certificates” Tab

      Right Click on the Certificate (s) to be Deleted. Check the Validity Column.
          Select Delete.


Description: Advanced Certificate Request Template document sample