02-04-2007 05:35 AM - edited 03-11-2019 02:28 AM
Hello,
I would like to understand the following point:
is it possible to configure a Cisco Client IPSEC VPN with PIX-535 using client certificates (smart cards)issued by third-party CA? All our users have to use the smart card issued by a government authorities for network login. I would like to utilize these cards for use with the VPN client instead of the deploying the certificates issued by our internal CA (it works without problems for few monthes). I can not create a trustpoint and enroll a certificate for my PIX device from the government CA like I did it from our internal one. Does it mean that I must request a cert for my PIX device from the third-party CA manually and then import it for creating a trustpoint? Or it is generally impossible?
sincerely
Evgeny
02-04-2007 10:56 PM
Hi Evgeny,
If the 3rd party CA supports SCEP, then you can enroll online. If doesn't support SCEP then you need to do it manually.
Normally, having a 3rd party CA will work, carefull about time issues (the time should be provided by NTP, to match the CA time) and CRL (ask the CA admin if it uses CRL and configure it correctly).
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml
Please rate if this helped.
Regards,
Daniel
02-05-2007 04:14 AM
Thanks, Daniel.
I only started checking the solution: looking for an appropriate contact at CA's side for applying for the PIX certificate.
02-13-2007 06:54 AM
Unfortunately, we did not manage to create a trustpoint for two-layer CA chain. It is not clear if PIX support it at all - all available documentations and configuration examples are about a single-tier CA. CISCO IOS does support it, but it seems to me that PIX does not.
I would very appreciate if anyone can clear this point.
Sincerely,
Evgeny
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: