Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
3
Replies

PIX-535, CISCO VPN CLIENt with 3-d party certs

evgesha_63
Level 1
Level 1

‎02-04-2007 05:35 AM - edited ‎03-11-2019 02:28 AM

Hello,

I would like to understand the following point:

is it possible to configure a Cisco Client IPSEC VPN with PIX-535 using client certificates (smart cards)issued by third-party CA? All our users have to use the smart card issued by a government authorities for network login. I would like to utilize these cards for use with the VPN client instead of the deploying the certificates issued by our internal CA (it works without problems for few monthes). I can not create a trustpoint and enroll a certificate for my PIX device from the government CA like I did it from our internal one. Does it mean that I must request a cert for my PIX device from the third-party CA manually and then import it for creating a trustpoint? Or it is generally impossible?

sincerely

Evgeny

Labels:
0 Helpful
3 Replies 3

5220
Level 4
Level 4

‎02-04-2007 10:56 PM

Hi Evgeny,

If the 3rd party CA supports SCEP, then you can enroll online. If doesn't support SCEP then you need to do it manually.

Normally, having a 3rd party CA will work, carefull about time issues (the time should be provided by NTP, to match the CA time) and CRL (ask the CA admin if it uses CRL and configure it correctly).

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c8c41.shtml

Please rate if this helped.

Regards,

Daniel

0 Helpful

evgesha_63
Level 1
Level 1
In response to 5220

‎02-05-2007 04:14 AM

Thanks, Daniel.

I only started checking the solution: looking for an appropriate contact at CA's side for applying for the PIX certificate.

0 Helpful

evgesha_63
Level 1
Level 1
In response to evgesha_63

‎02-13-2007 06:54 AM

Unfortunately, we did not manage to create a trustpoint for two-layer CA chain. It is not clear if PIX support it at all - all available documentations and configuration examples are about a single-tier CA. CISCO IOS does support it, but it seems to me that PIX does not.

I would very appreciate if anyone can clear this point.

Sincerely,

Evgeny

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card