CCNP Security VPN FAQ: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates
Q1. What Public Key Cryptography Standard (PKCS) is used to enroll with a CA?
Q2. What field in the certificate request should match the IPSec group name on the VPN concentrator?
Q3. What elements make up the X.500 distinguished name?
Q4. What default algorithm type and key size does the VPN concentrator use on the certificate request?
Q5. What entity is responsible for generating the Public Key Infrastructure (PKI) public/ private key pair for a requesting host?
Q6. When are Secure Sockets Layer (SSL) certificates required on a VPN concentrator?
Q7. What is the first certificate that must be installed on a VPN concentrator before you can install any other certificates from a given CA?
Q8. What two enrollment methods are available on a VPN concentrator?
Q9. Where does a VPN concentrator obtain the root CA’s public key?
Q10. During the authentication process, where does a VPN concentrator find the original hash that the CA calculated for an identity certificate?
Q11. When you select to cache Certificate Revocation Lists (CRLs) on the VPN concentrator, where are they stored?
Q12. With CRL caching disabled, how does a VPN concentrator check a certificate’s serial number against a CRL?
Q13. Using the VPN Manager, where would you look to check the status of a certificate enrollment process?
Q14. When configuring digital certificate support on a VPN concentrator, where do you identify which certificate to use for Internet Key Exchange (IKE) Phase 1 negotiations?
Q15. What must be in place on a client’s PC before you can configure the VPN Client for certificate support?
Q16. Which screen do you use to enable the use of digital certificates for device authentication during IKE Phase 1 negotiations?
Q17. What must be in place on a client’s PC before you can configure the VPN Client for certificate support?
Q18. What two methods are available on the VPN concentrator for installing certificates obtained through manual enrollment?
Q19. What could cause a digital certificate to be revoked by the CA?
Q20. What are the two types of CA structures?
Q21. During the authentication process, where does a VPN concentrator find the original hash that the CA calculated for an identity certificate?
Q22. During manual SCEP authentication, how is the request transmitted to the CA?
Q23. What Public Key Cryptography Standard is used to request enrollment with a CA?
Q24. What is the first certificate that must be installed on a VPN concentrator before you can install any other certificates from a given CA?
Q25. When configuring digital certificate support on a VPN concentrator, where do you identify which certificate to use for IKE Phase 1 negotiations?
Q26. After a VPN peer receives an identity certificate from its partner during IKE Phase 1, the peer calculates a hash of the certificate. What does the peer compare this hash against to verify that the certificate has not been altered?
Q27. Where does a VPN concentrator obtain the root CA’s public key?
Q28. What entity is responsible for generating the PKI public/private key pair for a requesting host?
Q29. In the VPN Manager, where do you identify that you want to use RSA Digital Certificates for IKE Phase 1 authentication?
Q30. What three tests does a VPN concentrator perform on a partner’s identity certificate before performing the authentication process?
Q31. Which version of the X.509 standard identity certificate permits extensions?
Q32. What is RSA Keon?
Q33. When does the Click here to install a CA certificate option appear on the Administration | Certificate Management screen of the VPN Manager?
Q34. The VPN concentrator is certified to work with three Internet-based CAs. Which CAs are they?
Q35. What elements make up the X.500 distinguished name?
Q36. Which screen do you use to enable the use of digital certificates for device authentication during IKE Phase 1 negotiations?
Q37. What two enrollment methods are available on a VPN concentrator?
Q38. What field in the certificate request should match the IPSec group name on the VPN concentrator?
Q39. When are SSL certificates required on a VPN concentrator?
Q40. What are the three types of certificates involved in the digital certificate process?
Q41. What is a CRL?
Q42. When you select to cache CRLs on the VPN concentrator, where are they stored?
Q43. What default algorithm type and key size does the VPN concentrator use on the certificate request?
Q44. Using the VPN Manager, where would you look to check the status of a certificate enrollment process?
Q45. What is a root certificate?
Q46. Where are you asked to supply a challenge password during the enrollment process?
Q47. How is the validity period of a digital certificate specified?
Q48. With CRL caching disabled, how does a VPN concentrator check a certificate’s serial
number against a CRL?
Q49. SCEP has two authentication methods available between a requester and the CA. What are those two methods?