Setting Up Enrollment Parameters - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 39
Configuring Certificates
Date: 12/22/06
To: wuser6@wuser.com
From: Wuseradmin
Subject: Certificate Enrollment Invitation
You have been granted access to enroll for a certificate.
The credentials below can be used to obtain your certificate.
Username:
One-time Password: C93BBB733CD80C74
Enrollment is allowed until: 15:54:31 UTC Thu Dec 27 2006
NOTE: The one-time password is also used as the passphrase to unlock the certificate file.
Please visit the following site to obtain your certificate:
https://wu5520-FO.frdevtestad.local/+CSCOCA+/enroll.html
You may be asked to verify the fingerprint/thumbprint of the CA certificate
during installation of the certificates. The fingerprint/thumbprint should be:
MD5: 76DD1439 AC94FDBC 74A0A89F CB815ACC
SHA1: 58754FFD 9F19F9FD B13B4B02 15B3E4BE B70B5A83
Figure 39-2
When a user enrolls successfully, a PKCS12 file is created, which contains a keypair and a certificate
issued to the user, along with the Local CA certificate. The user must browse to the enrollment interface
and enter a valid username and one-time password. Once the Local CA authenticates the user's
credentials within the enrollment time frame, the user is permitted to download the newly generated
certificate, which is included in a PKCS12 file.
The PKCS12 file contents are protected by a passphrase, the One-Time-Password (OTP). The OTP can
be handled manually, or this file can be e-mailed to the user by the Local CA to download once the
administrator allows enrollment.
The file is saved to storage temporarily as username.p12. This file contains the user certificate, the
keypair, and the Local CA certificate. To install these certificates on the user's PC, the user is prompted
for the passphrase (one-time password) for the file, the same one-time password used to authenticate the
user to the Local CA.
With the file in storage, the user can return within the enrollment-retrieval time period to retrieve the file
a second or subsequent times as needed. When the time period expires, the file is removed from storage
automatically and is no longer available for downloading.
Setting Up Enrollment Parameters
For a secure enrollment process, the Local CA automatically generates one-time passwords (OTPs),
which are e-mailed to enrolling users at the e-mail address the administrator configures. OTPs can be
handled manually but are e-mailed if configured with an e-mail address when the user is added to the
database. In order to complete enrollment and receive a certificate, the user must enter the OTP in the
enrollment interlace along with a username in order to complete enrollment.
OL-12172-03
wuser6@wuser.com
Sample Local CA Enrollment E-mail
Cisco Security Appliance Command Line Configuration Guide
The Local CA
39-25
Advertisement
Table of Contents
Troubleshooting
