Anyone know the answers to these question:-
- Do Cisco have a recommended deployment methods for users currently running pre-shared keys and SDI to certificates and AD authentication. This must minimize user intervention. I don’t think SCEP will be any good, it has to be done by AD policy to install certificates and set the correct connection profile within the client, ie edit the pcf file and use microsoft certifcate stores. Each ID certificate will be unique in terms of CN, and serial number.
- How do we prevent the ID certificate from becoming exportable on the VPN client, we have the template within MS CA set to non exportable, but the certificates remains exportable. The certs carry the private key hence why we can use them on other machines by exporting and importing. I don’t think the CA/RA certs are exportable because the private keys are not there, we get a error 36 when we do this.
- How secure is the Cisco certificate store on the PC, can it be compromised and the certificates copied elsewhere. This is using the Cisco store rather than the MS store. It seems to me its OS dependant, but still open to abuse. It looks like there are 3 stores, Cisco, MS, and MS User (per user account on machine).
I have this problem too.