Enrolling with the CA
During the enrolling process, a firewall sends a appeal to the CA to affair a new
certificate for this firewall.The CA will acknowledgment by signing the accessible key certificate,
which it receives from the firewall as a allotment of the appeal and abiding the
results to the PIX. Afterwards the CA signs it, it becomes a accurate affidavit and its
authenticity can be accurate by accepted accessible key signature accoutrement by anyone who
knows the CA’s accessible key.Technically, the CA does not accept to acknowledgment (issue a
certificate) anon and the affidavit can be beatific continued afterwards the appeal was
sent (the acceptance action itself), but in convenance the PIX expects these two
events to appear during one transaction.
The acceptance is started by the afterward command:
ca accept
Here, the ca_nickname is a CA authentic beforehand application the ca character and ca
authenticate commands.The challenge_password constant is a countersign that will be
used to accredit approaching requests for abandoning a certificate.This agency that if
you after charge to abjure the affidavit acquired by this enrollment, you charge to
provide the CA with the aforementioned countersign that you authentic during enrollment.
www.syngress.com
Configuring Virtual Private Networking • Chapter 7 361
When the ca accredit command is issued, the PIX requests one accessible key
certificate for anniversary of its RSA key pairs. If you generated alone one brace of keys
(using the ca accomplish rsa key command), a distinct affidavit will be requested. If
there are any added RSA pairs (for use with SSL for example—a special-use key
pair), the PIX requests added certificates. If it already has been issued a certificate,
the PIX will alert you to annul absolute certificates from its memory.
Certificates can additionally be removed application the afterward command:
no ca character
This command removes all certificates issued by the authentic authority.
The ca accept command, including the claiming password, is not stored in the
PIX configuration; alone its after-effects can be stored in beam anamnesis by the ca save all
command.
The consecutive and ip_address options acquiesce admittance of some added advice in
the accessible key certificate.When the consecutive advantage is specified, the firewall’s serial
number is included in the affidavit appeal and, as a consequence, in the
resulting certificate.This cardinal is not acclimated by IPsec or IKE, but it ability be
used after by the CA ambassador for added authentication.The second
option is added important back IKE is acclimated and has to do with accessory authentication.
By default, back the ip_address advantage is not authentic in the ca enroll
command, a affidavit is apprenticed alone to the host and area names of the PIX
device (a absolutely able area name, or FQDN), which accept to be specified
prior to any CA-related configurations application the hostname and area commands.
If the ip_address advantage is specified, an IP abode of the firewall is additionally included in
the certificate. As a result, this affidavit can be acclimated alone by the accessory with this
IP address. If you move the firewall to a new abode (even if its FQDN remains
the same), you will charge a new certificate.
NOTE
It is important that the IKE character blazon is the aforementioned as the certificate
type. This agency that if you use absence certificates, apprenticed alone to the
FQDN, you charge to set the IKE character blazon to hostname:
isakmp character hostname
The absence ambience for the IKE character blazon is address. If you appetite to
use IP addresses for authentication, specify ipaddress in the ca enroll
command and set the character blazon to IP address:
isakmp character address
www.syngress.com
362 Chapter 7 • Configuring Virtual Private Networking
Back to our example:We will use the ahead authentic CA verisign and
host-based authentication, so the acceptance in this case is actual simple.
(Remember that in this case we charge to specify isakmp character hostname in IKE
configuration.) This command:
pix1(config)# ca accept verisign midnightinmoscow
performs acceptance of PIX1 to CA verisign and sets the claiming countersign to
midnightinmoscow. On the additional firewall, we affair the afterward command,
which performs the aforementioned operation on PIX2 but sets a altered challenge
password for the issued certificate:
PIX2(config)# ca accept verisign lunchtimeinLA
It is accessible to affectation acquired certificates on the firewall with the appearance ca
certificate command.The archetype was apparent in the antecedent section,
“Authenticating the CA.”
At this point, all CA-related advice should be saved:
PIX1(config)# ca save all
PIX1(config)# address memory
Of all these ca commands, alone ca character and ca configure will be stored in the
PIX configuration.The added commands aloof abundance their results, because there is
no charge to accomplish them back the firewall reboots.