cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1238
Views
0
Helpful
2
Replies

VPN Concentrator using certificate authentication with MS CA

michael.dolan
Level 1
Level 1

We have a VPN Concentrator 3000. Users securely connect to the concentrator to access Network resources. In order to improve security we have configured the concentrator to use digital certificates to authenticate VPN users, and for users to authenticate the concentrator.

LGCSB have a PKI Infrastructure in 2 levels. We have a root CA that uses a 4096 but key for maximum security, we also have a sub-ordinate CA (issuing CA) that uses a 2048 bit key.

In order to allow vpn users to authenticate via certificates, the users and the concentrator must trust the certificate from the Root CA. On the workstations (VPN clients) this is a simple procedure. However on the concentrator, when we install the Root CA Certificate it fails: the error is "Error installing trusted certificate: Unable to install trusted certificate" in the event log we receive an error which states: "Unable to load trusted certificate, reason = Unable to install trusted certifica

te".

A few tests confirm that the concentrator has a problem with any CA certificate that has a key strength greater than 2048.

Using a 4096 bit is critical (and recommended) to the secure transactions that our organisation use day-to-day so it is not possible to re-configure our PKI infrastructure.

Your advice or solutions are much appreciated

Thanks

Regards

Brent Arkley

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

The concentrator does not currently support keys longer than 2048 bits. This is due to a HW limitation of the encryption module in the concentrator where the key generation is done.

Do the PIX Firewalls support this key length?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: