VPN Concentrator using certificate authentication with MS CA

michael.dolan · ‎07-10-2003

We have a VPN Concentrator 3000. Users securely connect to the concentrator to access Network resources. In order to improve security we have configured the concentrator to use digital certificates to authenticate VPN users, and for users to authenticate the concentrator.

LGCSB have a PKI Infrastructure in 2 levels. We have a root CA that uses a 4096 but key for maximum security, we also have a sub-ordinate CA (issuing CA) that uses a 2048 bit key.

In order to allow vpn users to authenticate via certificates, the users and the concentrator must trust the certificate from the Root CA. On the workstations (VPN clients) this is a simple procedure. However on the concentrator, when we install the Root CA Certificate it fails: the error is "Error installing trusted certificate: Unable to install trusted certificate" in the event log we receive an error which states: "Unable to load trusted certificate, reason = Unable to install trusted certifica

te".

A few tests confirm that the concentrator has a problem with any CA certificate that has a key strength greater than 2048.

Using a 4096 bit is critical (and recommended) to the secure transactions that our organisation use day-to-day so it is not possible to re-configure our PKI infrastructure.

Your advice or solutions are much appreciated

Thanks

Regards

Brent Arkley

gfullage · ‎07-10-2003

The concentrator does not currently support keys longer than 2048 bits. This is due to a HW limitation of the encryption module in the concentrator where the key generation is done.

michael.dolan · ‎07-18-2003

Do the PIX Firewalls support this key length?