PIX-535, CISCO VPN CLIENt with 3-d party certs

Unanswered Question
Feb 4th, 2007

Hello,

I would like to understand the following point:

is it possible to configure a Cisco Client IPSEC VPN with PIX-535 using client certificates (smart cards)issued by third-party CA? All our users have to use the smart card issued by a government authorities for network login. I would like to utilize these cards for use with the VPN client instead of the deploying the certificates issued by our internal CA (it works without problems for few monthes). I can not create a trustpoint and enroll a certificate for my PIX device from the government CA like I did it from our internal one. Does it mean that I must request a cert for my PIX device from the third-party CA manually and then import it for creating a trustpoint? Or it is generally impossible?

sincerely

Evgeny

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Sun, 02/04/2007 - 22:56

Hi Evgeny,

If the 3rd party CA supports SCEP, then you can enroll online. If doesn't support SCEP then you need to do it manually.

Normally, having a 3rd party CA will work, carefull about time issues (the time should be provided by NTP, to match the CA time) and CRL (ask the CA admin if it uses CRL and configure it correctly).

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c8c41.shtml

Please rate if this helped.

Regards,

Daniel

evgesha_63 Mon, 02/05/2007 - 04:14

Thanks, Daniel.

I only started checking the solution: looking for an appropriate contact at CA's side for applying for the PIX certificate.

evgesha_63 Tue, 02/13/2007 - 06:54

Unfortunately, we did not manage to create a trustpoint for two-layer CA chain. It is not clear if PIX support it at all - all available documentations and configuration examples are about a single-tier CA. CISCO IOS does support it, but it seems to me that PIX does not.

I would very appreciate if anyone can clear this point.

Sincerely,

Evgeny

Actions

This Discussion