Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

how to get the keys on the client

Hello All!

I am familiar with vpn technics, but not with the x.509 and pki topcs, I just started reading about that a couple of weeks ago.

If I want to do authentication with x.509 certificates, I have to get somehow the private key on the client.

I found something, that there are ways to generate the keys (public and private) on the client and the public key is send to a pki and the pki sends the x.509 certificate back to the vpn client. I think this is called a PKCS#10 request, but I am not sure about it.

Now my question is, are these technics a standard way to distribute certificates to vpn clients? Are there any standard protocols?

Thanks a lot!



Re: how to get the keys on the client

I do not fully understand what you mean by 'standard protocols' but yes, these are widely accepted standards. For example, PKCS#7 and PKCS#10 were developed by RSA Data Security Inc and find wide acceptance in the industry today. The SCEP standard, which is used for certificate enrollment uses PKCS#7 and PKCS #10, was developed and is supprted by Cisco, Microsoft, Sun, Verisign and Entrust (among others) and can be found in ietf draft draft-nourse-scep-02.txt. To understand how to configure Certificate support on Cisco VPN Client, please see

CreatePlease to create content