Step 3. Set Up Automated Enrollment
As a part of enrolling for a certificate (via CEP), a router administrator or
VPN-client user needs to start the enrollment process, which in turn asks the user
for information such as the following:
•
The CA's identity
•
The CEP enrollment URL
•
A challenge password
•
The serial number and IP address
Some of the information a user enters, such as the serial number and IP address,
goes in to the subject name in the CEP request. Information such as the CA's
identity and enrollment URL enables the router to connect to the valid CA to make
the certificate request. The challenge password, if specified, enables the user to
authenticate to the server during enrollment and to revoke the certificate, if
needed, by presenting the same password again. (See "Certificate Issuance to
Routers or VPN Clients" on page 800.)
You can configure the Certificate Manager to use either the challenge password or
the subject name (all or a part of it) as an authentication token during a CEP
enrollment, thus enabling users to get router certificates without any action on the
part of the Certificate Manager agent.
To aid you in implementing the automated CEP enrollment process, Certificate
Management System comes with an authentication plug-in module named
. This plug-in is available in source-code form in the CMS samples
FlatFileAuth
package in this directory:
<server_root>/cms_sdk/cms_jdk/samples/authentication
In order for the Certificate Manager to recognize the
use it for authenticating CEP-based certificate requests, you must do the following:
•
Register the plugin in the CMS authentication framework; for instructions, see
"Registering an Authentication Module".
•
Create an instance of the plug-in; for instructions, see "Step 4: Add an
Authentication Instance" on page 509.
You can do this either via the CMS window or by adding the required parameters
to the Certificate Manager's configuration file (
parameters of the
FlatFileAuth
FlatFileAuth
CMS.cfg
plug-in are listed below.
Chapter 25
Setting up CEP Enrollment Manually
plug-in and
). The configuration
Setting Up CEP Enrollment
795