Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix appliance and certificate services

Question concerning the pix appliance and certificate services

I have just been reading up on how the pix security appliance

interacts with certificte services,according to my study guide

when using certificte services with ipsec vpn,s the timezone on

the pix needs to be set to UTC to allow for proper crl checking

but what it does not mention is the time the pix clock is set to

if the pixs reside in different timezones

so i will cook up a hypothectical scenario and would appreciate

any comments on it

1, install stand alone root CA on microsoft server in corporate HQ

which resides in johannesburg South africa set timezone to UTC

but set the clock to local time

2, install pix appliance at corporate HQ this will form one end

of a vpn tunnel set timezone to UTC but set the clock to local time

3, install pix appliance at london HQ this will form the other end

of the vpn tunnel set timezone to UTC but set the clock to local time

both pixs will get their certificates from the CA situated at the

corporate HQ

I would also think that remote access vpn clients would be set up in

the same manner as the pix when using certificte services

ie set timezone to UTC but set the clock to local time

I dont know if this is how its done as i cant find any info anywhere

so any help would be greatly appreciated

regards

Melvyn Brown

1 REPLY
Cisco Employee

Re: pix appliance and certificate services

Melvyn,

Be sure that the PIX Firewall clock is set to GMT, month, day, and year before configuring CA. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Cisco's PKI protocol uses the clock to make sure that a CRL is not expired. The lifetime of a certificate and CRL is checked in GMT time. If you are using IPSec with certificates, set the PIX Firewall clock to GMT to ensure that CRL checking works correctly.

Please refer the below URL for details:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/ipsecint.htm#wp1036081

I hope it helps.

Regards,

Arul

104
Views
5
Helpful
1
Replies
CreatePlease login to create content