Switch from PSK to certificete

ayussuf · ‎10-10-2011

How can I change from a PSK based RA confuguration to a locally assighed certificate base configuration?

Thank you in advance for you assistance.

Mohammad Alhyari · ‎10-10-2011

Hi,

welcome to the world of PKI (public key infrastrcuture)

when moving to the world of certificates , generally you need to have the following :

1- a Certificate authority that will issue certificates to the clients , and this can be a :

any valid public certificate authority

your OWN microsft CA server

the beloved IOS CA server (your own CISCO router).

2- a client enrolloing for the certificate :

this can be done on CISCO IOS router either using :

SCEP :simple certificate enrollement protocol (uses HTTP port 80)

or

manual enrollment (copy and paste)

3- a protocol to carry the certificates and do the authentication which is IKE

so changes will be :

- authenticate the CA certificate on all of your clients

-enroll each cleint with its own certificate

-change the IKE policy to use the certificate authentication , it is rsa-sig under the isakmp policy definition .

for a basic knowledge about certificates ;

manual certificate enrollment (TFTP and cut and paste):

configure and enroll a cisco router to another cisco router :

Digital certifiactes PKI for VPN :

HTH

Mohammad.

ayussuf · ‎10-11-2011

Does each client need their own Certificate?

Mohammad Alhyari · ‎10-11-2011

yes you need.

ayussuf · ‎10-11-2011

I have a MS CA server which is currently issueing to every users.

I want to use the PSK, Certificate and the users still have to enter the username and password.

If not, Can I just use the Certificate and the username and password.