VPN With Pre-Shared Keys - Page 3

 By Cisco Press
Page 3 of 6   |  Back to Page 1
Print Article

Obtaining Certificate Authorities (CAs)
Retrieving certificate authorities (CAs) with the PIX Firewall uses almost exactly the same method as that used on routers. The following are the commands used to obtain a CA. Note that these commands might not show in a configuration. The administrator should avoid rebooting the PIX during this sequence. The steps are explained as they are shown.

First, define your identity and the IP address of the interface to be used for the CA. Also configure the timeout of retries used to gain the certificate and the number of retries.

 ca identity bigcompany.com
 ca configure bigcompany.com ca 2 100>
Generate the RSA key used for this certificate.
 ca generate rsa key 512
Then get the public key and certificate.
 ca authenticate bigcompany.com
Next, request the certificate, and finally, save the configuration.
 ca enroll bigcompany.com enrollpassword
 ca save all
At this point, you have saved your certificates to the flash memory and are able to use them. The configuration for using an existing CA is as follows:
 domain-name bigcompany.com
 isakmp enable outside
 isakmp policy 8 auth rsa-signature
 ca identity example.com
 ca generate rsa key 512
 access-list 60 permit ip
 crypto map chicagotraffic 20 ipsec-isakmp
 crypto map chicagotraffic 20 match address 60
 crypto map chicagotraffic 20 set transform-set strong
 crypto map chicagotraffic 20 set peer
 crypto map chicagotraffic interface outside
 sysopt connection permit-ipsec

This article was originally published on Oct 30, 2001
Get the Latest Scoop with Networking Update Newsletter