Docstoc

Configuring Microsoft Certificate Services

Document Sample
Configuring Microsoft Certificate Services Powered By Docstoc
					                                                                                  A P P E N D I X                      B
                     Configuring Microsoft Certificate Services

                     This appendix provides additional information on requesting digital certification from the Microsoft
                     CA server and configuring ca-identity configuration commands on your gateway. Use this appendix
                     with Chapter 6, “Configuring Digital Certification.”



Microsoft Certificate Services
                     This CA requires that both IPSec peers transact with a Registration Authority (RA), which then
                     forwards the requests through to the CA. Both the remote IPSec peer and the local IPSec peer must be
                     configured with the both the CA and RA public keys. The CA and RA public keys are signature and
                     encryption key pairs, which must be generated and enrolled for authentication to occur.
                     For information on configuring Microsoft Certificate Services, see the following URLs:
                      •   On Setting up a Certificate Authority:
                          http://www.microsoft.com/windows2000/library/planning/security/casetupsteps.asp
                      •   On Microsoft Certificate Services Web Pages:
                          http://www.microsoft.com/windows2000/library/planning/security/cawebsteps.asp
                      •   On Administering Microsoft Certificate Services:
                          http://www.microsoft.com/windows2000/library/planning/security/adminca.asp


              Note   While Cisco Secure VPN Client supports Microsoft Certificate Services, these enrollment
                     methods are subject to change over time. Please see the Microsoft web site at
                     http://www.microsoft.com for the current enrollment method.




                                                                             Cisco Secure VPN Client Solutions Guide
 OL-0259-02                                                                                                            B-111
                                                                                    Appendix B    Configuring Microsoft Certificate Services
   Microsoft Certificate Services




Figure B-1    Microsoft CA Server Topology


   Internal IP 10.1.2.1                    192.168.1.2/24                                                              Corporate
   or IKE Mode Config                                              VeriSign                                            server
        from Pool                                                  CA server                                           10.1.1.3/24

    VPN                                  Internet                              Corporate
    Client                                                                                         Pool
                                           NAS                                  gateway
                                                                                               10.1.2.1-254                     WWW
                                                                                                                                server
                                                                          S1               EO                                   10.1.1.2/24
                                                              192.168.1.1/24               10.1.1.1/24

                                                                                                                       Entrust/MSCA
                                                                                                                       CA server




                                                                                                                                               41168
                                                                                                                       10.1.1.4/24



Configuring Microsoft CA Identity on Gateway
                          This step corresponds to “Declaring the CA” in Chapter 6, “Configuring Digital Certification.”
                          To enroll your certificate with a Microsoft CA, perform the following tasks, as described in Table B-1:
                            •   Specify the CA
                            •   Specify Compatibility with CA’s RA
                            •   Specify CA’s Enrollment URL
                            •   Specify LDAP Support
                            •   Specify CRL Option

                          Table B-1     Declare the CA

                           Command                                               Purpose
                           hq_sanjose(config)# crypto ca identity                To declare the CA your router should use, enter
                           example.com                                           the crypto ca identity global configuration
                                                                                 command. This command invokes the ca-identity
                                                                                 (cfg-ca-id) configuration mode.
                                                                                 In this example, example.com is defined as the
                                                                                 domain name for which this certificate is
                                                                                 requested.
                           hq_sanjose(cfg-ca-id)# enrollment mode ra             To indicate compatibility with the CA’s
                                                                                 Registration Authority (RA) system, enter the
                                                                                 enrollment mode ra ca-identity configuration
                                                                                 command.
                           hq_sanjose(cfg-ca-id)# enrollment url                 To specify the CA’s location where your router
                           http://microsoft-ca                                   should send certificate requests by indicating the
                                                                                 CA’s enrollment URL, enter the enrollment url
                                                                                 ca-identity configuration command.
                                                                                 In this example, http://microsoft-ca is specified as
                                                                                 the CA server.




               Cisco Secure VPN Client Solutions Guide
 B-112                                                                                                                           OL-0259-02
Appendix B   Configuring Microsoft Certificate Services
                                                                                              Microsoft Certificate Services




                        Table B-1      Declare the CA (continued)

                        Command                                     Purpose
                        hq_sanjose(cfg-ca-id)# query url            To specify Lightweight Directory Access
                        http://microsoft-ca                         Protocol (LDAP) support, enter the query url
                                                                    ca-identity configuration command. This
                                                                    command is required if your CA supports both
                                                                    RA and LDAP. LDAP is a query protocol used
                                                                    when the router retrieves certificates and CRLs.
                                                                    The default query protocol is Certificate
                                                                    Enrollment Protocol (CEP).
                                                                    In this example, http://microsoft-ca is specified as
                                                                    the LDAP server.
                        hq_sanjose(cfg-ca-id)# crl optional         To allow other peers' certificates to still be
                                                                    accepted by your router even if the appropriate
                                                                    Certificate Revocation List (CRL) is not
                                                                    accessible to your router, use the crl optional
                                                                    ca-identity configuration command.
                        hq_sanjose(cfg-ca-id)# exit                 To exit ca-identity (cfg-ca-id) configuration
                                                                    mode, enter the exit ca-identity configuration
                                                                    command.




                                                                         Cisco Secure VPN Client Solutions Guide
OL-0259-02                                                                                                             B-113
                                                       Appendix B   Configuring Microsoft Certificate Services
 Microsoft Certificate Services




             Cisco Secure VPN Client Solutions Guide
B-114                                                                                              OL-0259-02

				
DOCUMENT INFO