Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX-535, CISCO VPN CLIENt with 3-d party certs


I would like to understand the following point:

is it possible to configure a Cisco Client IPSEC VPN with PIX-535 using client certificates (smart cards)issued by third-party CA? All our users have to use the smart card issued by a government authorities for network login. I would like to utilize these cards for use with the VPN client instead of the deploying the certificates issued by our internal CA (it works without problems for few monthes). I can not create a trustpoint and enroll a certificate for my PIX device from the government CA like I did it from our internal one. Does it mean that I must request a cert for my PIX device from the third-party CA manually and then import it for creating a trustpoint? Or it is generally impossible?




Re: PIX-535, CISCO VPN CLIENt with 3-d party certs

Hi Evgeny,

If the 3rd party CA supports SCEP, then you can enroll online. If doesn't support SCEP then you need to do it manually.

Normally, having a 3rd party CA will work, carefull about time issues (the time should be provided by NTP, to match the CA time) and CRL (ask the CA admin if it uses CRL and configure it correctly).

Please rate if this helped.



Community Member

Re: PIX-535, CISCO VPN CLIENt with 3-d party certs

Thanks, Daniel.

I only started checking the solution: looking for an appropriate contact at CA's side for applying for the PIX certificate.

Community Member

Re: PIX-535, CISCO VPN CLIENt with 3-d party certs

Unfortunately, we did not manage to create a trustpoint for two-layer CA chain. It is not clear if PIX support it at all - all available documentations and configuration examples are about a single-tier CA. CISCO IOS does support it, but it seems to me that PIX does not.

I would very appreciate if anyone can clear this point.



CreatePlease to create content