Using SCEP to Manage Certificates
Using SCEP to
The following steps demonstrate using SCEP to enroll and
install digital certificates. To use SCEP to enroll identity or SSL
certificates, SCEP must also be used to obtain the associated CA certificate.
The Manager doesn’t allow enrolling a certificate from a CA unless that CA
certificate was installed using SCEP. The certificate obtained using SCEP can
issue other SCEP certificates and is, therefore, referred to as SCEP-enabled.
Using SCEP to Obtain and Install CA Certificates
Follow these steps for each CA Certificate you want to
Use the Concentrator Manager navigation system to display
the Administration | Certificate Management screen, as shown in Figure
Certificate management screen
Click the Click here to install a CA
certificate option at the top of the screen. The Administration |
Certificate Management | Install | CA Certificate screen appears, as shown in Figure
Figure 14-37: Install CA
The previous link option is only available on this screen if
no CA certificates have been installed on the Concentrator. If the link is
missing, click the Click here to install a certificate
option, the third link in the last figure. The Administration | Certificate
Management | Install screen is displayed, from which you can choose Install CA
Click the SCEP (Simple Certificate Enrollment Protocol) link
to display the Administration | Certificate Management | Install | CA
Certificate | SCEP screen, shown in Figure 14-38. Enter the following information in the
Figure 14-38: CA
certificate request information
URL—The URL of the CA’s SCEP interface.
CA Descriptor—Some CAs require and provide a
descriptor to identify a certificate. If the CA doesn’t use a descriptor, enter
one of your own. Something must be entered in this field.
Once complete, the CA certificate is installed on the
Concentrator and appears in the Certificate Authorities box of the
Administration | Certificate Management screen (as shown in the previous Figure
Using SCEP to Enroll and Install Identity Certificates
Follow these steps for each identity certificate you want to
Using the Administration | Certificate Management screen
from the previous Figure 14-36, Click the Click here
to enroll with a Certificate Authority link.The Administration | Certificate
Management | Enroll screen displays, as shown in Figure 14-39.
Certificate management enrollment screen
Click the Identity Certificate link to
display the Administration | Certificate Management | Enroll | Identity
Certificate screen, as shown in Figure 14-40. If SCEP-enabled CA certificates were
on the VPN Concentrator, they would be listed as links beneath the Enroll via
PKCS10 Request (Manual) shown in the figure.
Figure 14-40: Enrollment
Identity screen to select a certificate
The link title includes the name of the CA certificate in the
following format: Enroll via SCEP at Certificate Name. So, a CA certificate on
the Concentrator named “CA-Test” would look like the following:
Click the link to the SCEP certificate to be enrolled and
the Administration | Certificate Management | Enroll | Identity Certificate |
SCEP screen display, as shown in Figure 14-41.
Figure 14-41: Screen to
add certificate enrollment information
Complete the fields and click the Enroll button. Some CAs
require manual verification of credentials and this can take some time—the
certificate request could enter Polling mode. In this case, the Concentrator
will resend the request to the CA a defined number of times, until either the CA
responds or the process times out.
Once the CA responds and issues the certificate, the VPN
Concentrator installs it automatically and displays the Administration |
Certificate Management | Enrollment | Request Generated screen, as shown in Figure
1775 times read
Did you enjoy this article?
(total 0 votes)