Table of Contents
Advertisement
Chapter 4
Configuring Connection Entries
Figure 4-4
Select a certificate from the Name drop-down menu.
Step 2
If the Name field displays No Certificates Installed, you must first enroll or import a certificate before
you can use this feature. See the
section on page 6-7
To send CA certificate chains, check the Send CA Certificate Chain check box. This parameter is
Step 3
disabled by default.
A CA certificate chain includes all CA certificates in the certificate hierarchy from the root certificate.
This must be installed on the VPN Client to identify each certificate. This feature enables a peer VPN
Concentrator to trust the VPN Client's identity certificate given the same root certificate, without having
the same subordinate CA certificates actually installed.
The following is an example of a certificate chain:
On the VPN Client, you have this chain in the certificate hierarchy:
•
a.
b.
c.
d.
•
On the VPN Concentrator, you have this chain in the certificate hierarchy
a.
b.
c.
Though the identity certificates are issued by different CA certificates, the VPN device can still trust the
VPN Client's identity certificate, because it has received the chain of certificates installed on the VPN
Client PC.
This feature provides flexibility because the intermediate CA certificates do not need to be installed on
the peer.
Click Save. The Connection Entry dialog box closes and you return to the Connection Entries tab.
Step 4
OL-5490-01
Certificate Authentication
"Enrolling Certificates" section on page 6-2
for more information.
Root Certificate
CA Certificate 1
CA Certificate 2
Identity Certificate
Root Certificate
CA Certificate
Identity Certificate
Authentication Methods
or
"Importing a Certificate"
VPN Client User Guide for Mac OS X
4-5
Advertisement
Table of Contents
