As you learned in Chapters 9 and 11, a digital certificate is a form of credential, much like a driver’s license or a passport in the paper-based world. Like its paper counterparts, the digital certificate has information on it that identifies the holder, plus the certificate authorities (CA), a trusted third-party that “signs” the certificates to confirm the holder’s identity.
A digital certificate has additional information included with the holder’s public key, which helps others to verify the key is genuine. This additional information, like a person’s picture on a driver’s license or a passport, can thwart attempts to substitute an unauthorized public key.
A digital certificate contains the following three items:
Public key
Certificate information—Identifying information about the holder, such as IP address, name, serial number, company, department, and so forth
One or more digital signatures—Supplied by a CA
CAs issue digital certificates for use in the Public Key Infrastructure (PKI). PKI uses public-key/private-key encryption methodology to ensure security. Some terms to remember include the following:
CA certificate—Certificate used to sign (authenticate) other certificates.
Root certificate—CA certificate that’s self-signed.
Subordinate certificate—Certificate issued by another CA certificate.
Identity certificates—Certificates for specific systems or hosts.
To authenticate using digital certificates, at least one identity certificate and its root certificate must exist on the VPN Concentrator; there could be more. The VPN Concentrator model determines the maximum number of CA and identity certificates allowed.
Models 3015–3080—Maximum of 20 root or subordinate CA certificates and 20 identity certificates.
Model 3005—No more than six root or subordinate CA certificates and two identity certificates.
In both cases, CA certificate maximums include any supporting registration authority (RA) certificates.
All models of VPN Concentrator can have only one SSL certificate installed.
All digital certificates and private keys are automatically stored in the VPN Concentrator’s Flash memory. Saving them is unnecessary. These stored items aren’t listed and they can’t be displayed using the Administration | File Management menu. All stored private keys are encrypted. Once installed on the VPN Concentrator, the identity certificate appears in the Digital Certificate list for configuring both IPSec LAN-to-LAN connections and IPSec SAs.
The VPN Concentrator can be configured to enable CRL information caching in RAM to speed the process of verifying the revocation status of certificates. When the VPN Concentrator needs to check the revocation status of a certificate, it first checks to see if the CRL exists in cache and that it hasn’t expired. If the CRL has expired, a new one is requested, but if it hasn’t expired, the Concentrator searches the list of revoked serial numbers for the certificate serial number. If a match exists, the authentication fails.
Digital certificates have an expiration date beyond which they’re of no value, much like the driver’s license and passport examples in the paper-based world. Note, because of this expiration date, the VPN Concentrator time and date must be correct and synchronized with network time.
A second time issue is this: certificate enrollment and installation process must be completed within one week of generating the request. Otherwise, the request is deleted.
To use digital certificates for authentication, you must first enroll with a CA, and obtain and install the CA certificate on the VPN Concentrator. Then, you can enroll and install an identity certificate from the same CA. You can enroll and install digital certificates manually or automatically. The automatic method is a new feature that uses Simple Certificate Enrollment Protocol (SCEP), a secure messaging protocol that requires minimal user intervention to enroll and install certificates using only the VPN Concentrator Manager. SCEP was introduced in Chapter 11. SCEP is quicker than enrolling and installing digital certificates manually, but SCEP is available only if it meets the following two conditions:
The CA must support SCEP.
Enrolling must be done via the Internet.
If the CA doesn’t support SCEP or if digital certificates are enrolled by other means, such as by e-mail or floppy disk, then they must be processed using the manual method, which requires more steps.
In either case, whichever method is used to install a CA certificate must also be used to request identity or SSL certificates from that CA.
Regardless of whether SCEP or the manual method is used, the following tasks must be completed to obtain and install certificates:
Request and install the required CA certificate(s).
Create an enrollment request for one or more identity certificates.
Request an identity certificate from the same CA that issued the CA certificate(s).
Install the identity certificate on the VPN Concentrator.
Enable CRL checking and caching.
Enable certificates.
The following steps demonstrate using SCEP to enroll and install digital certificates. To use SCEP to enroll identity or SSL certificates, SCEP must also be used to obtain the associated CA certificate. The Manager doesn’t allow enrolling a certificate from a CA unless that CA certificate was installed using SCEP. The certificate obtained using SCEP can issue other SCEP certificates and is, therefore, referred to as SCEP-enabled.
Follow these steps for each CA Certificate you want to obtain:
Use the Concentrator Manager navigation system to display the Administration | Certificate Management screen, as shown in Figure 14-36.
Figure 14-36: Certificate management screen
Click the Click here to install a CA certificate option at the top of the screen. The Administration | Certificate Management | Install | CA Certificate screen appears, as shown in Figure 14-37.
Figure 14-37: Install CA Certificate screen
The previous link option is only available on this screen if no CA certificates have been installed on the Concentrator. If the link is missing, click the Click here to install a certificate option, the third link in the last figure. The Administration | Certificate Management | Install screen is displayed, from which you can choose Install CA Certificate.
Click the SCEP (Simple Certificate Enrollment Protocol) link to display the Administration | Certificate Management | Install | CA Certificate | SCEP screen, shown in Figure 14-38. Enter the following information in the two fields:
Figure 14-38: CA certificate request information
URL—The URL of the CA’s SCEP interface.
CA Descriptor—Some CAs require and provide a descriptor to identify a certificate. If the CA doesn’t use a descriptor, enter one of your own. Something must be entered in this field.
Click Retrieve.
Once complete, the CA certificate is installed on the Concentrator and appears in the Certificate Authorities box of the Administration | Certificate Management screen (as shown in the previous Figure 14-36).
Follow these steps for each identity certificate you want to obtain:
Using the Administration | Certificate Management screen from the previous Figure 14-36, Click the Click here to enroll with a Certificate Authority link.The Administration | Certificate Management | Enroll screen displays, as shown in Figure 14-39.
Figure 14-39: Certificate management enrollment screen
Click the Identity Certificate link to display the Administration | Certificate Management | Enroll | Identity Certificate screen, as shown in Figure 14-40. If SCEP-enabled CA certificates were on the VPN Concentrator, they would be listed as links beneath the Enroll via PKCS10 Request (Manual) shown in the figure.
Figure 14-40: Enrollment Identity screen to select a certificate
The link title includes the name of the CA certificate in the following format: Enroll via SCEP at Certificate Name. So, a CA certificate on the Concentrator named “CA-Test” would look like the following:
Enroll via PKCS10 Request (Manual).
Enroll via SCEP at CA-Test.
Click the link to the SCEP certificate to be enrolled and the Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen display, as shown in Figure 14-41.
Figure 14-41: Screen to add certificate enrollment information
Complete the fields and click the Enroll button. Some CAs require manual verification of credentials and this can take some time—the certificate request could enter Polling mode. In this case, the Concentrator will resend the request to the CA a defined number of times, until either the CA responds or the process times out.
Once the CA responds and issues the certificate, the VPN Concentrator installs it automatically and displays the Administration | Certificate Management | Enrollment | Request Generated screen, as shown in Figure 14-42.
Figure 14-42: SCEP Status: Installed
Once the certificate is installed on the VPN concentrator, you must change settings for IKE negotiation. This requires two screen entries, the IKE transform to be used and the IPSec SA information.
Use the Manager navigation to locate the Configuration | System | Tunneling Protocols IPSec | IKE Proposals screen, shown in Figure 14-43. This screen displays both the Active and Inactive IKE options available on the Concentrator.
You can change an existing Active proposal from preshared keys to certificates or create a new one. Select an existing proposal, and then click the Modify button or click the Add button. Either way, a screen similar to the one shown in Figure 14-44 appears.
You only have one choice here. Use the Authentication mode drop-down list and select RSA Digital Certificate. Then click the Apply button.
Use the Manager navigation to locate the Configuration | Policy Management | Traffic Management | Security Associations | Modify screen for the appropriate IPSec SA. The resulting screen is large, but the bottom panel, as shown in Figure 14-45, is all that must be changed.
Use the Digital Certificate drop-down list to select the appropriate certificate name.
If necessary, use the IKE Proposal drop-down list to select the IKE proposal defined in the last section, and then click Apply.