VPN
Concentrator and Certificates
To authenticate using digital certificates, at least one
identity certificate and its root certificate must exist on the VPN
Concentrator; there could be more. The VPN Concentrator model determines the
maximum number of CA and identity certificates allowed.
In both cases, CA certificate maximums include any supporting
registration authority (RA) certificates.
All models of VPN Concentrator can have only one SSL certificate
installed.
All digital certificates and private keys are automatically stored
in the VPN Concentrator’s Flash memory. Saving them is unnecessary. These stored
items aren’t listed and they can’t be displayed using the Administration | File
Management menu. All stored private keys are encrypted. Once installed on the
VPN Concentrator, the identity certificate appears in the Digital Certificate
list for configuring both IPSec LAN-to-LAN connections and IPSec SAs.
Certificate Revocation List (CRL)
The VPN Concentrator can be configured to enable CRL
information caching in RAM to speed the process of verifying the revocation
status of certificates. When the VPN Concentrator needs to check the revocation
status of a certificate, it first checks to see if the CRL exists in cache and
that it hasn’t expired. If the CRL has expired, a new one is requested, but if
it hasn’t expired, the Concentrator searches the list of revoked serial numbers
for the certificate serial number. If a match exists, the authentication
fails.
Time Issues
Digital certificates have an expiration date beyond which
they’re of no value, much like the driver’s license and passport examples in the
paper-based world. Note, because of this expiration date, the VPN Concentrator
time and date must be correct and synchronized with network time.
A second time issue is this: certificate enrollment and
installation process must be completed within one week of generating the
request. Otherwise, the request is deleted.
Sections
Comments (0 posted)
Syndication
