Cep Enrollment; About Cep Enrollment - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Additional Comments. Type any information that will help you identify this request
in the future or will help the person who will process this request.
Click Submit.
5.

CEP Enrollment

Note: This feature is supported in legacy enrollment only. CS can issue certificates to a
wide variety of entities, such as web browsers, SSL-enables servers, routers, virtual private
network (VPN) clients, and so on. This section explains how you can configure CS to issue
router and VPN-client certificates.

About CEP Enrollment

Cisco routers support the use of certificates for authentication, encryption, and tamper
detection by using the IP Security (IPSec) protocol. CS supports Cisco's PKI protocol, the
Certificate Enrollment Protocol (CEP); this protocol runs over HTTP and provides its own
form of encryption. For an overview of certificate authority support for IPSec, see the
information available at this URL:
http://www.cisco.com/warp/public/cc/cisco/mkt/security/
encryp/prodlit/821_pp.htm
You can issue certificates to routers and CEP-compliant Virtual Private Network (VPN)
clients using CS. Routers use certificates to authenticate each other and to establish an
encrypted IPSec channel between them; all TCP/IP communication passes through this
encrypted channel.
CS is set up to support issuance of certificates to routers and VPN clients using the
CEP-based enrollment. The CEP enrollment URL is in the following form:
http://<DNS hostname>:<HTTP_port>/cgi-bin/pkiclient.exe
Note that older routers may require that the port associated with this enrollment is the
default web server port, port
In order to publish these certificates to an LDAP-compliant directory, you need to perform
some additional configuration to accommodate the needs of routers and VPN clients, which
need to retrieve certificates and CRLs via LDAP.
.
80
CEP Enrollment
Chapter 10 Authentication 395