Enrolling With A Certificate Authority; Administration | Certificate Management | Installation - Cisco VPN 3000 User Manual

14
Administration

Enrolling with a Certificate Authority

To send the certificate request to a CA, enroll, and receive your digital certificates, follow these steps.
(These are cut-and-paste steps; your CA may follow different procedures. In any case, you must end up
with certificates saved as text files on your PC or other reachable network host.)
1 Select and copy the certificate request from the browser window to your clipboard.
2 Use a browser to connect to the CA's Web site. Navigate to the screen that lets you submit a PKCS-10
request via cut-and-paste.
3 Paste the certificate request in the CA screen, and submit the request.
4 The CA should respond with a new browser screen that says the certificates were successfully
generated. That screen also should include active links that let you "Download the root certificate"
and "Download the identity certificate."
5 With the secondary mouse button, click the root certificate download link and select Save Link As or
Save Target As
not open it or install it in the browser. The browser opens a dialog box that lets you navigate to the
desired location and enter a filename. Use a name that clearly identifies this as a root certificate, with
a .txt extension.
6 Repeat the previous step for any subordinate certificates, and finally for the identity certificate. Name
the files so that you can distinguish the certificate types.
7 Proceed to the Administration | Certificate Management | Installation screen below.

Administration | Certificate Management | Installation

This Manager screen lets you install digital certificates on the VPN Concentrator.
You can install certificates obtained via enrollment with a CA in a PKI (where the private key is
generated on—and stays hidden on—the VPN Concentrator, or you can install certificates imported
along with the private key from some source (PKCS-12 format). The latter certificate installation
process is not secure, and we strongly recommend not using it unless you are absolutely certain of its
integrity.
Note:
You must install the CA root certificate first, then install any other subordinate certificates from the CA.
Install the identity certificate last.
You can also install an SSL server identity certificate issued in a PKI context (not a self-signed SSL
certificate). If you install such a certificate, it replaces any self-signed SSL certificate. The VPN
Concentrator can have only one SSL certificate, regardless of type.
14-40
. You want to save the file as a text file on your PC or other reachable network host; do
VPN 3000 Concentrator Series User Guide