CCNP Security VPN FAQ: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

CCNP Security VPN FAQ: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

Q1. What Public Key Cryptography Standard (PKCS) is used to enroll with a CA?

Answer: PKCS #10 is the standard form generally used to request certificate enrollment with a CA.

Q2. What field in the certificate request should match the IPSec group name on the VPN concentrator?

Answer: The Organization Unit (OU) should match the IPSec group name on the VPN concentrator.

Q3. What elements make up the X.500 distinguished name?

Answer: Six fields make up the X.500 distinguished name: Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State/Province (SP), and Country (C).

Q4. What default algorithm type and key size does the VPN concentrator use on the certificate request?

Answer: The VPN concentrator uses RSA 512 keys as the default on the certificate request.

Q5. What entity is responsible for generating the Public Key Infrastructure (PKI) public/ private key pair for a requesting host?

Answer: The host itself must generate the PKI public/private key pair and include the public key with the enrollment request sent to the CA.

Q6. When are Secure Sockets Layer (SSL) certificates required on a VPN concentrator?

Answer: SSL certificates are required on a VPN concentrator when you want to establish secure communications between the concentrator and the browser on the administrator’s workstation.

Q7. What is the first certificate that must be installed on a VPN concentrator before you can install any other certificates from a given CA?

Answer: You must install the root certificate from a CA before you can install any other certificates from that CA on a VPN concentrator.

Q8. What two enrollment methods are available on a VPN concentrator?

Answer: The VPN concentrator allows you to perform a manual enrollment using a PKCS #10 request or an automated enrollment using the Simple Certificate Enrollment Process (SCEP).

Q9. Where does a VPN concentrator obtain the root CA’s public key?

Answer: The VPN concentrator obtains the root CA’s public key from the root certificate.

Q10. During the authentication process, where does a VPN concentrator find the original hash that the CA calculated for an identity certificate?

Answer: The VPN concentrator extracts the original hash that the CA calculated for an identity certificate from the digital signature on the certificate. This signature is decrypted using the CA’s public key from the root certificate.

Q11. When you select to cache Certificate Revocation Lists (CRLs) on the VPN concentrator, where are they stored?

Answer: Enabling CRL caching on the VPN concentrator permits the concentrator to store CRLs in volatile memory.

Q12. With CRL caching disabled, how does a VPN concentrator check a certificate’s serial number against a CRL?

Answer: When caching is disabled, the VPN concentrator must request a CRL from one of the CA’s distribution points each time it needs to check a certificate’s serial number.

Q13. Using the VPN Manager, where would you look to check the status of a certificate enrollment process?

Answer: To check the status of a certificate enrollment process using the VPN Manager, select Administration | Certificate Management from the table of contents. The last section on this screen displays enrollment status.

Q14. When configuring digital certificate support on a VPN concentrator, where do you identify which certificate to use for Internet Key Exchange (IKE) Phase 1 negotiations?

Answer: When configuring digital certificate support on a VPN concentrator, the certificate to use is identified on the Configuration | Policy Management | Traffic Management | Security Associations | Add/Modify screen.

Q15. What must be in place on a client’s PC before you can configure the VPN Client for certificate support?

Answer: Before you can configure the VPN Client for certificate support, you must install a root certificate and an identity certificate in the browser.

Q16. Which screen do you use to enable the use of digital certificates for device authentication during IKE Phase 1 negotiations?

Answer: The Authentication tab on the Properties page for a defined connection permits you to select between using preshared keys and digital certificates for IKE Phase 1 authentication.

Q17. What must be in place on a client’s PC before you can configure the VPN Client for certificate support?

Answer: Before you can configure the VPN Client for certificate support, you must install a root certificate and an identity certificate in the browser.

Q18. What two methods are available on the VPN concentrator for installing certificates obtained through manual enrollment?

Answer: To install certificates on the VPN concentrator that were obtained through manual enrollment, you can either cut and paste the text from the PEM-configured file or upload the file from your workstation.

Q19. What could cause a digital certificate to be revoked by the CA?

Answer: The CA might revoke a certificate if something changed to affect the user’s distinguished name, if a certificate’s keys became compromised, or if the hardware owner of the key gets taken out of service.

Q20. What are the two types of CA structures?

Answer: The two types of CA structures are the central CA structure and the hierarchical CA structure.
5-1

Q21. During the authentication process, where does a VPN concentrator find the original hash that the CA calculated for an identity certificate?

Answer: The VPN concentrator extracts the original hash that the CA calculated for an identity certificate from the digital signature on the certificate. This signature is decrypted using the CA’s public key from the root certificate.

Q22. During manual SCEP authentication, how is the request transmitted to the CA?

Answer: During manual SCEP authentication, the certificate request is transmitted to the CA using the Internet, e-mail, a floppy disk, or some other means.

Q23. What Public Key Cryptography Standard is used to request enrollment with a CA?

Answer: PKCS #10 is the standard form generally used to request certificate enrollment with a CA.

Q24. What is the first certificate that must be installed on a VPN concentrator before you can install any other certificates from a given CA?

Answer: You must install the root certificate from a CA before you can install any other certificates from that CA on a VPN concentrator.

Q25. When configuring digital certificate support on a VPN concentrator, where do you identify which certificate to use for IKE Phase 1 negotiations?

Answer: When configuring digital certificate support on a VPN concentrator, the certificate to use is identified on the Configuration | Policy Management | Traffic Management | Security Associations | Add/Modify screen.

Q26. After a VPN peer receives an identity certificate from its partner during IKE Phase 1, the peer calculates a hash of the certificate. What does the peer compare this hash against to verify that the certificate has not been altered?

Answer: After calculating a hash of the certificate, the peer decrypts the signature on the certificate with the public key of the root CA taken from the root certificate. This decryption process reveals the hash that the root calculated on the certificate. If the two hash values match, there is a high degree of certainty that the certificate has not been altered.

Q27. Where does a VPN concentrator obtain the root CA’s public key?

Answer: The VPN concentrator obtains the root CA’s public key from the root certificate.

Q28. What entity is responsible for generating the PKI public/private key pair for a requesting host?

Answer: The host itself must generate the PKI public/private key pair and include the public key with the enrollment request sent to the CA.

Q29. In the VPN Manager, where do you identify that you want to use RSA Digital Certificates for IKE Phase 1 authentication?

Answer: In the VPN Manager, you can select RSA Digital Certificates as the method for IKE Phase 1 authentication from the IKE Proposals screen.

Q30. What three tests does a VPN concentrator perform on a partner’s identity certificate before performing the authentication process?

Answer: The VPN concentrator validates the partner’s identity certificate before authentication by verifying that the certificate was signed by a trusted CA, that the certificate has not expired, and that the certificate has not been revoked.

Q31. Which version of the X.509 standard identity certificate permits extensions?

Answer: X.509 version 3 permits extensions.

Q32. What is RSA Keon?

Answer: RSA Keon is a CA application that runs on Solaris, Windows 2000, and Windows NT.

Q33. When does the Click here to install a CA certificate option appear on the Administration | Certificate Management screen of the VPN Manager?

Answer: The Click here to install a CA certificate option appears on the Administration | Certificate Management screen until you have installed the first CA certificate.

Q34. The VPN concentrator is certified to work with three Internet-based CAs. Which CAs are they?

Answer: The VPN concentrator is certified to work with these Internet-based CAs: Entrust, VeriSign, and Baltimore.

Q35. What elements make up the X.500 distinguished name?

Answer: Six fields make up the X.500 distinguished name: Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State/Province (SP), and Country (C).

Q36. Which screen do you use to enable the use of digital certificates for device authentication during IKE Phase 1 negotiations?

Answer: The Authentication tab on the Properties page for a defined connection permits you to select between using preshared keys and digital certificates for IKE Phase 1 authentication.

Q37. What two enrollment methods are available on a VPN concentrator?

Answer: The VPN concentrator allows you to perform a manual enrollment using a PKCS #10 request or an automated enrollment using SCEP.

Q38. What field in the certificate request should match the IPSec group name on the VPN concentrator?

Answer: The Organization Unit (OU) should match the IPSec group name on the VPN concentrator.

Q39. When are SSL certificates required on a VPN concentrator?

Answer: SSL certificates are required on a VPN concentrator when you want to establish secure communications between the concentrator and the browser on the administrator’s workstation.

Q40. What are the three types of certificates involved in the digital certificate process?

Answer: The three types of certificates involved in the digital certificate process are the root, identity, and issuing certificates.

Q41. What is a CRL?

Answer: A CRL is a Certificate Revocation List. It contains the serial numbers of digital certificates with the date the certificate became invalid. CRLs are issued by the CA and contain only information about certificates that were issued by the CA.

Q42. When you select to cache CRLs on the VPN concentrator, where are they stored?

Answer: Enabling CRL caching on the VPN concentrator permits the concentrator to store CRLs in volatile memory.

Q43. What default algorithm type and key size does the VPN concentrator use on the certificate request?

Answer: The VPN concentrator uses RSA 512 keys as the default on the certificate request.

Q44. Using the VPN Manager, where would you look to check the status of a certificate enrollment process?

Answer: To check the status of a certificate enrollment process using the VPN Manager, select Administration | Certificate Management from the table of contents. The last section on this screen displays enrollment status.

Q45. What is a root certificate?

Answer: A root certificate is a special form of the identity certificate that is self-signed by the root CA and contains the public key of the root CA. This certificate is used by VPN peers to authenticate their partner’s identity certificate.

Q46. Where are you asked to supply a challenge password during the enrollment process?

Answer: The enrollment of an identity certificate through SCEP requests that you enter the challenge password.

Q47. How is the validity period of a digital certificate specified?

Answer: The validity period of a digital certificate is specified with a starting date and time and an ending date and time.

Q48. With CRL caching disabled, how does a VPN concentrator check a certificate’s serial
number against a CRL?

Answer: When caching is disabled, the VPN concentrator must request a CRL from one of the CA’s distribution points each time it needs to check a certificate’s serial number.

Q49. SCEP has two authentication methods available between a requester and the CA. What are those two methods?

Answer: The two SCEP authentication methods are manual authentication and preshared key authentication.

About the author

Scott

Leave a Comment