Cisco VPN Client & Certificate
Hello Experts,
I have a Multiple Domains UCC SSL Certificate for our Exchange 2007. I was wondering if I could somehow use this certificate for my Cisco VPN Client 5.0. There is a tab called "Certificates" and wanted to make use of my SSL certificate if possible.
Thanks!
I have a Multiple Domains UCC SSL Certificate for our Exchange 2007. I was wondering if I could somehow use this certificate for my Cisco VPN Client 5.0. There is a tab called "Certificates" and wanted to make use of my SSL certificate if possible.
Thanks!
John Meggers
Maybe I'm missing something but you don't typically need a certificate for IPsec tunnels unless you're using certificate-based authentication. If you use pre-shared keys, you don't need it. If you do choose to do certificate-based authentication, you'll need a CA server on the inside. It's my understanding the ASA cannot act as a CA server for IPsec connections, only SSL VPN.
ASKER
I thought so too, but then I was like why is there an option to import certificates into a IPSec VPN client...
Here's what the manual says:
Connecting with Digital Certificates
Before you create a VPN Client connection entry using a digital certificate, you must have already enrolled in a Public Key Infrastructure (PKI), have received approval from the Certificate Authority (CA), and have one or more certificates installed on the VPN Client system. If this is not the case, then you need to obtain a digital certificate. You can obtain one by enrolling with a PKI directly using the Certificate Manager feature, or you can obtain an Entrust profile through Entrust Entelligence. Currently, we have tested the following PKIs:
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch4.html
Here's what the manual says:
Connecting with Digital Certificates
Before you create a VPN Client connection entry using a digital certificate, you must have already enrolled in a Public Key Infrastructure (PKI), have received approval from the Certificate Authority (CA), and have one or more certificates installed on the VPN Client system. If this is not the case, then you need to obtain a digital certificate. You can obtain one by enrolling with a PKI directly using the Certificate Manager feature, or you can obtain an Entrust profile through Entrust Entelligence. Currently, we have tested the following PKIs:
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch4.html
You either need to provide your own PKI infrastructure (using Cisco IOS CA, its cheap) or one of the few public PKI that cisco supports, either Microsoft or Entrust.
Preshared keys doesnt scale well which is why certs with IPSec is a good idea.. . unless you have a small network and you can manage the psk stuff..
Preshared keys doesnt scale well which is why certs with IPSec is a good idea.. . unless you have a small network and you can manage the psk stuff..
ASKER
SteveJ, thanks for shedding some light on this. So I'm trying to figure out how to do this. When you say I need to provide my own PKI infrastructure public what do you mean? Could you please elaborate how I would set this up? Thanks in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By the way, all the PKI stuff can be done on a single router. If you want to be able to recover certs
, you need to set up storage for them. Or make them non exportable and if something bad happens simply re-enroll the device.
, you need to set up storage for them. Or make them non exportable and if something bad happens simply re-enroll the device.