Using SCEP to Manage Certificates

1. Use the Concentrator Manager navigation system to display the Administration | Certificate Management screen, as shown in Figure 14-36.

   
   Figure 14-36: Certificate management screen

2. Click the Click here to install a CA certificate option at the top of the screen. The Administration | Certificate Management | Install | CA Certificate screen appears, as shown in Figure 14-37.

   
   Figure 14-37: Install CA Certificate screen

   The previous link option is only available on this screen if no CA certificates have been installed on the Concentrator. If the link is missing, click the Click here to install a certificate option, the third link in the last figure. The Administration | Certificate Management | Install screen is displayed, from which you can choose Install CA Certificate.

3. Click the SCEP (Simple Certificate Enrollment Protocol) link to display the Administration | Certificate Management | Install | CA Certificate | SCEP screen, shown in Figure 14-38. Enter the following information in the two fields:

   
   Figure 14-38: CA certificate request information

   URL—The URL of the CA’s SCEP interface.

   CA Descriptor—Some CAs require and provide a descriptor to identify a certificate. If the CA doesn’t use a descriptor, enter one of your own. Something must be entered in this field.

   Click Retrieve.

   Once complete, the CA certificate is installed on the Concentrator and appears in the Certificate Authorities box of the Administration | Certificate Management screen (as shown in the previous Figure 14-36).

Using SCEP to Enroll and Install Identity Certificates Automatically

Follow these steps for each identity certificate you want to obtain:

1. Using the Administration | Certificate Management screen from the previous Figure 14-36, Click the Click here to enroll with a Certificate Authority link.The Administration | Certificate Management | Enroll screen displays, as shown in Figure 14-39.

   
   Figure 14-39: Certificate management enrollment screen

2. Click the Identity Certificate link to display the Administration | Certificate Management | Enroll | Identity Certificate screen, as shown in Figure 14-40. If SCEP-enabled CA certificates were on the VPN Concentrator, they would be listed as links beneath the Enroll via PKCS10 Request (Manual) shown in the figure.

   
   Figure 14-40: Enrollment Identity screen to select a certificate

   The link title includes the name of the CA certificate in the following format: Enroll via SCEP at Certificate Name. So, a CA certificate on the Concentrator named “CA-Test” would look like the following:

   • Enroll via PKCS10 Request (Manual).

   • Enroll via SCEP at CA-Test.

3. Click the link to the SCEP certificate to be enrolled and the Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen display, as shown in Figure 14-41.

   
   Figure 14-41: Screen to add certificate enrollment information

4. Complete the fields and click the Enroll button. Some CAs require manual verification of credentials and this can take some time—the certificate request could enter Polling mode. In this case, the Concentrator will resend the request to the CA a defined number of times, until either the CA responds or the process times out.

   Once the CA responds and issues the certificate, the VPN Concentrator installs it automatically and displays the Administration | Certificate Management | Enrollment | Request Generated screen, as shown in Figure 14-42.